28 use Luracast\Restler\Format\UploadFormat;
30 if (!defined(
'NOCSRFCHECK')) {
31 define(
'NOCSRFCHECK',
'1');
33 if (!defined(
'NOTOKENRENEWAL')) {
34 define(
'NOTOKENRENEWAL',
'1');
36 if (!defined(
'NOREQUIREMENU')) {
37 define(
'NOREQUIREMENU',
'1');
39 if (!defined(
'NOREQUIREHTML')) {
40 define(
'NOREQUIREHTML',
'1');
42 if (!defined(
'NOREQUIREAJAX')) {
43 define(
'NOREQUIREAJAX',
'1');
45 if (!defined(
"NOLOGIN")) {
46 define(
"NOLOGIN",
'1');
48 if (!defined(
"NOSESSION")) {
49 define(
"NOSESSION",
'1');
54 if (!empty($_SERVER[
'HTTP_DOLAPIENTITY'])) {
55 define(
"DOLENTITY", (
int) $_SERVER[
'HTTP_DOLAPIENTITY']);
59 if (!empty($_SERVER[
'REQUEST_METHOD']) && $_SERVER[
'REQUEST_METHOD'] ==
'OPTIONS' && !empty($_SERVER[
'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
60 header(
'Access-Control-Allow-Origin: *');
61 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
62 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
63 http_response_code(204);
68 if (preg_match(
'/\/explorer\/swagger\.json/', $_SERVER[
"PHP_SELF"])) {
69 header(
'Access-Control-Allow-Origin: *');
70 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
71 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
74 if (preg_match(
'/\/api\/index\.php/', $_SERVER[
"PHP_SELF"])) {
75 header(
'Access-Control-Allow-Origin: *');
76 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
77 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
81 if (!$res && file_exists(
"../main.inc.php")) {
82 $res = include
'../main.inc.php';
85 die(
"Include of main fails");
88 require_once DOL_DOCUMENT_ROOT.
'/includes/restler/framework/Luracast/Restler/AutoLoader.php';
90 call_user_func(
function () {
91 $loader = Luracast\Restler\AutoLoader::instance();
92 spl_autoload_register($loader);
96 require_once DOL_DOCUMENT_ROOT.
'/api/class/api.class.php';
97 require_once DOL_DOCUMENT_ROOT.
'/api/class/api_access.class.php';
98 require_once DOL_DOCUMENT_ROOT.
'/core/lib/functions2.lib.php';
101 $url = $_SERVER[
'PHP_SELF'];
102 if (preg_match(
'/api\/index\.php$/', $url)) {
103 $url = $_SERVER[
'PHP_SELF'].(empty($_SERVER[
'PATH_INFO']) ? $_SERVER[
'ORIG_PATH_INFO'] : $_SERVER[
'PATH_INFO']);
106 if (!empty($conf->global->MAIN_NGINX_FIX)) {
107 $url = (isset($_SERVER[
'SCRIPT_URI']) && $_SERVER[
"SCRIPT_URI"] !==
null) ? $_SERVER[
"SCRIPT_URI"] : $_SERVER[
'PHP_SELF'];
111 if (empty($conf->global->MAIN_MODULE_API)) {
112 $langs->load(
"admin");
113 dol_syslog(
"Call of Dolibarr API interfaces with module API REST are disabled");
114 print $langs->trans(
"WarningModuleNotActive",
'Api').
'.<br><br>';
115 print $langs->trans(
"ToActivateModule");
121 if (preg_match(
'/api\/index\.php\/explorer/', $url) && !empty($conf->global->API_EXPLORER_DISABLED)) {
122 $langs->load(
"admin");
123 dol_syslog(
"Call Dolibarr API interfaces with module API REST disabled");
124 print $langs->trans(
"WarningAPIExplorerDisabled").
'.<br><br>';
145 preg_match(
'/index\.php\/([^\/]+)(.*)$/', $url, $reg);
153 $refreshcache = (empty($conf->global->API_PRODUCTION_DO_NOT_ALWAYS_REFRESH_CACHE) ? true :
false);
154 if (!empty($reg[1]) && $reg[1] ==
'explorer' && ($reg[2] ==
'/swagger.json' || $reg[2] ==
'/swagger.json/root' || $reg[2] ==
'/resources.json' || $reg[2] ==
'/resources.json/root')) {
155 $refreshcache =
true;
156 if (!is_writable($conf->api->dir_temp)) {
157 print
'Erreur temp dir api/temp not writable';
166 if (!empty($conf->global->MAIN_API_DEBUG)) {
168 $r->onCall(
function () use ($r) {
177 dol_syslog(
"Debug API url ".var_export($r->url,
true), LOG_DEBUG, 0,
'_api');
178 dol_syslog(
"Debug API input ".var_export($r->getRequestData(),
true), LOG_DEBUG, 0,
'_api');
186 $api->r->addAPIClass(
'Luracast\\Restler\\Explorer');
188 $api->r->setSupportedFormats(
'JsonFormat',
'XmlFormat',
'UploadFormat');
189 $api->r->addAuthenticationClass(
'DolibarrApiAccess',
'');
192 UploadFormat::$allowedMimeTypes = array(
'image/jpeg',
'image/png',
'text/plain',
'application/octet-stream');
196 if (!empty($conf->global->API_RESTRICT_ON_IP)) {
197 $allowedip = explode(
' ', $conf->global->API_RESTRICT_ON_IP);
199 if (!in_array($ipremote, $allowedip)) {
200 dol_syslog(
'Remote ip is '.$ipremote.
', not into list '.$conf->global->API_RESTRICT_ON_IP);
201 print
'APIs are not allowed from the IP '.$ipremote;
202 header(
'HTTP/1.1 503 API not allowed from your IP '.$ipremote);
210 if (!empty($reg[1]) && $reg[1] ==
'explorer' && ($reg[2] ==
'/swagger.json' || $reg[2] ==
'/swagger.json/root' || $reg[2] ==
'/resources.json' || $reg[2] ==
'/resources.json/root')) {
213 $listofapis = array();
216 foreach ($modulesdir as $dir) {
218 dol_syslog(
"Scan directory ".$dir.
" for module descriptor files, then search for API files");
221 if (is_resource($handle)) {
222 while (($file = readdir($handle)) !==
false) {
224 if (is_readable($dir.$file) && preg_match(
"/^mod(.*)\.class\.php$/i", $file, $regmod)) {
225 $module = strtolower($regmod[1]);
227 $modulenameforenabled = $module;
228 if ($module ==
'propale') {
229 $modulenameforenabled =
'propal';
231 if ($module ==
'supplierproposal') {
232 $modulenameforenabled =
'supplier_proposal';
234 if ($module ==
'ficheinter') {
235 $modulenameforenabled =
'ficheinter';
238 dol_syslog(
"Found module file ".$file.
" - module=".$module.
" - modulenameforenabled=".$modulenameforenabled.
" - moduledirforclass=".$moduledirforclass);
242 if (empty($conf->$modulenameforenabled->enabled)) {
253 if (is_resource($handle_part)) {
254 while (($file_searched = readdir($handle_part)) !==
false) {
255 if ($file_searched ==
'api_access.class.php') {
260 if ($file_searched ==
'api_login.class.php' && !empty($conf->global->MAIN_MODULE_API_LOGIN_DISABLED)) {
265 if (is_readable($dir_part.$file_searched) && preg_match(
"/^api_(.*)\.class\.php$/i", $file_searched, $regapi)) {
266 $classname = ucwords($regapi[1]);
267 $classname = str_replace(
'_',
'', $classname);
268 require_once $dir_part.$file_searched;
269 if (class_exists($classname.
'Api')) {
271 $listofapis[strtolower($classname.
'Api')] = $classname.
'Api';
272 } elseif (class_exists($classname)) {
274 $listofapis[strtolower($classname)] = $classname;
276 dol_syslog(
"We found an api_xxx file (".$file_searched.
") but class ".$classname.
" does not exists after loading file", LOG_WARNING);
290 foreach ($listofapis as $apiname => $classname) {
291 $api->r->addAPIClass($classname, $apiname);
298 if (!empty($reg[1]) && ($reg[1] !=
'explorer' || ($reg[2] !=
'/swagger.json' && $reg[2] !=
'/resources.json' && preg_match(
'/^\/(swagger|resources)\.json\/(.+)$/', $reg[2], $regbis) && $regbis[2] !=
'root'))) {
299 $moduleobject = $reg[1];
300 if ($moduleobject ==
'explorer') {
301 $moduleobject = $regbis[2];
304 $moduleobject = strtolower($moduleobject);
308 dol_syslog(
"Load a dedicated API file moduleobject=".$moduleobject.
" moduledirforclass=".$moduledirforclass);
310 $tmpmodule = $moduleobject;
311 if ($tmpmodule !=
'api') {
312 $tmpmodule = preg_replace(
'/api$/i',
'', $tmpmodule);
314 $classfile = str_replace(
'_',
'', $tmpmodule);
317 if ($moduleobject ==
'supplierproposals') {
318 $classfile =
'supplier_proposals';
320 if ($moduleobject ==
'supplierorders') {
321 $classfile =
'supplier_orders';
323 if ($moduleobject ==
'supplierinvoices') {
324 $classfile =
'supplier_invoices';
326 if ($moduleobject ==
'ficheinter') {
327 $classfile =
'interventions';
329 if ($moduleobject ==
'interventions') {
330 $classfile =
'interventions';
333 $dir_part_file =
dol_buildpath(
'/'.$moduledirforclass.
'/class/api_'.$classfile.
'.class.php', 0, 2);
335 $classname = ucwords($moduleobject);
339 if (!empty($conf->global->API_ENDPOINT_RULES)) {
340 $listofendpoints = explode(
',', $conf->global->API_ENDPOINT_RULES);
341 $endpointisallowed =
false;
343 foreach ($listofendpoints as $endpointrule) {
344 $tmparray = explode(
':', $endpointrule);
345 if (($classfile == $tmparray[0] || $classfile.
'api' == $tmparray[0]) && $tmparray[1] == 1) {
346 $endpointisallowed =
true;
351 if (! $endpointisallowed) {
352 dol_syslog(
'The API with endpoint /'.$classfile.
' is forbidden by config API_ENDPOINT_RULES', LOG_WARNING);
353 print
'The API with endpoint /'.$classfile.
' is forbidden by config API_ENDPOINT_RULES';
354 header(
'HTTP/1.1 501 API is forbidden by API_ENDPOINT_RULES');
360 dol_syslog(
'Search api file /'.$moduledirforclass.
'/class/api_'.$classfile.
'.class.php => dir_part_file='.$dir_part_file.
' classname='.$classname);
363 if ($dir_part_file) {
364 $res = include_once $dir_part_file;
367 dol_syslog(
'Failed to make include_once '.$dir_part_file, LOG_WARNING);
368 print
'API not found (failed to include API file)';
369 header(
'HTTP/1.1 501 API not found (failed to include API file)');
374 if (class_exists($classname)) {
375 $api->r->addAPIClass($classname);
385 $usecompression = (empty($conf->global->API_DISABLE_COMPRESSION) && !empty($_SERVER[
'HTTP_ACCEPT_ENCODING']));
386 $foundonealgorithm = 0;
387 if ($usecompression) {
388 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'br') !==
false && is_callable(
'brotli_compress')) {
389 $foundonealgorithm++;
391 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'bz') !==
false && is_callable(
'bzcompress')) {
392 $foundonealgorithm++;
394 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'gzip') !==
false && is_callable(
'gzencode')) {
395 $foundonealgorithm++;
397 if (!$foundonealgorithm) {
398 $usecompression =
false;
404 Luracast\Restler\Defaults::$returnResponse = $usecompression;
408 $result = $api->r->handle();
410 if (Luracast\Restler\Defaults::$returnResponse) {
412 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'br') !==
false && is_callable(
'brotli_compress')) {
413 header(
'Content-Encoding: br');
414 $result = brotli_compress($result, 11, BROTLI_TEXT);
415 } elseif (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'bz') !==
false && is_callable(
'bzcompress')) {
416 header(
'Content-Encoding: bz');
417 $result = bzcompress($result, 9);
418 } elseif (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'gzip') !==
false && is_callable(
'gzencode')) {
419 header(
'Content-Encoding: gzip');
420 $result = gzencode($result, 9);
422 header(
'Content-Encoding: text/html');
423 print
"No compression method found. Try to disable compression by adding API_DISABLE_COMPRESSION=1";