30use Luracast\Restler\Format\UploadFormat;
38@ini_set(
'display_errors',
'0');
39@ini_set(
'log_errors',
'1');
41if (!defined(
'NOCSRFCHECK')) {
42 define(
'NOCSRFCHECK',
'1');
44if (!defined(
'NOTOKENRENEWAL')) {
45 define(
'NOTOKENRENEWAL',
'1');
47if (!defined(
'NOREQUIREMENU')) {
48 define(
'NOREQUIREMENU',
'1');
50if (!defined(
'NOREQUIREHTML')) {
51 define(
'NOREQUIREHTML',
'1');
53if (!defined(
'NOREQUIREAJAX')) {
54 define(
'NOREQUIREAJAX',
'1');
56if (!defined(
"NOLOGIN")) {
57 define(
"NOLOGIN",
'1');
59if (!defined(
"NOSESSION")) {
60 define(
"NOSESSION",
'1');
62if (!defined(
"NODEFAULTVALUES")) {
63 define(
"NODEFAULTVALUES",
'1');
67if (!empty($_SERVER[
'HTTP_DOLAPIENTITY'])) {
68 define(
"DOLENTITY", (
int) $_SERVER[
'HTTP_DOLAPIENTITY']);
72if (!empty($_SERVER[
'REQUEST_METHOD']) && $_SERVER[
'REQUEST_METHOD'] ==
'OPTIONS' && !empty($_SERVER[
'HTTP_ACCESS_CONTROL_REQUEST_HEADERS'])) {
73 header(
'Access-Control-Allow-Origin: *');
74 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
75 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
76 http_response_code(204);
81if (preg_match(
'/\/explorer\/swagger\.json/', $_SERVER[
"PHP_SELF"])) {
82 header(
'Access-Control-Allow-Origin: *');
83 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
84 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
87if (preg_match(
'/\/api\/index\.php/', $_SERVER[
"PHP_SELF"])) {
88 header(
'Access-Control-Allow-Origin: *');
89 header(
'Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
90 header(
'Access-Control-Allow-Headers: Content-Type, Authorization, api_key, DOLAPIKEY');
92header(
'X-Frame-Options: SAMEORIGIN');
96if (!$res && file_exists(
"../main.inc.php")) {
97 $res = include
'../main.inc.php';
100 die(
"Include of main fails");
103require_once DOL_DOCUMENT_ROOT.
'/includes/restler/framework/Luracast/Restler/AutoLoader.php';
110 $loader = Luracast\Restler\AutoLoader::instance();
111 spl_autoload_register($loader);
116require_once DOL_DOCUMENT_ROOT.
'/api/class/api.class.php';
117require_once DOL_DOCUMENT_ROOT.
'/api/class/api_access.class.php';
118require_once DOL_DOCUMENT_ROOT.
'/core/lib/functions2.lib.php';
129$conf->global->MAIN_DISALLOW_UNSECURED_SELECT_INTO_EXTRAFIELDS_FILTER = 1;
132$url = $_SERVER[
'PHP_SELF'];
133if (preg_match(
'/api\/index\.php$/', $url)) {
134 $url = $_SERVER[
'PHP_SELF'].(empty($_SERVER[
'PATH_INFO']) ? $_SERVER[
'ORIG_PATH_INFO'] : $_SERVER[
'PATH_INFO']);
138 $url = (isset($_SERVER[
'SCRIPT_URI']) && $_SERVER[
"SCRIPT_URI"] !==
null) ? $_SERVER[
"SCRIPT_URI"] : $_SERVER[
'PHP_SELF'];
142if (!isModEnabled(
'api')) {
143 $langs->load(
"admin");
144 dol_syslog(
"Call of Dolibarr API interfaces with module API REST are disabled");
145 print $langs->trans(
"WarningModuleNotActive",
'Api').
'.<br><br>';
146 print $langs->trans(
"ToActivateModule");
152if (preg_match(
'/api\/index\.php\/explorer/', $url) &&
getDolGlobalString(
'API_EXPLORER_DISABLED')) {
153 $langs->load(
"admin");
154 dol_syslog(
"Call Dolibarr API interfaces with module API REST disabled");
155 print $langs->trans(
"WarningAPIExplorerDisabled").
'.<br><br>';
176preg_match(
'/index\.php\/([^\/]+)(.*)$/', $url, $reg);
180$hookmanager->initHooks(array(
'api'));
186$refreshcache = (
getDolGlobalString(
'API_PRODUCTION_DO_NOT_ALWAYS_REFRESH_CACHE') ? false :
true);
187if (!empty($reg[1]) && $reg[1] ==
'explorer' && ($reg[2] ==
'/swagger.json' || $reg[2] ==
'/swagger.json/root' || $reg[2] ==
'/resources.json' || $reg[2] ==
'/resources.json/root')) {
188 $refreshcache =
true;
189 if (!is_writable(
$conf->api->dir_temp)) {
190 dol_syslog(
"ErrorFailedToWriteInApiTempDirectory ".
$conf->api->dir_temp, LOG_ERR);
191 print
'Erreur temp dir api/temp not writable';
192 header(
'HTTP/1.1 500 temp dir api/temp not writable');
203 $r->onCall(
function () use ($r) {
212 dol_syslog(
"Debug API url ".var_export($r->url,
true), LOG_DEBUG, 0,
'_api');
213 dol_syslog(
"Debug API input ".var_export($r->getRequestData(),
true), LOG_DEBUG, 0,
'_api');
221$api->r->addAPIClass(
'Luracast\\Restler\\Explorer');
223$api->r->setSupportedFormats(
'JsonFormat',
'XmlFormat',
'UploadFormat');
224$api->r->addAuthenticationClass(
'DolibarrApiAccess',
'');
227UploadFormat::$allowedMimeTypes = array(
'image/jpeg',
'image/png',
'text/plain',
'application/octet-stream');
234 if (!in_array($ipremote, $allowedip)) {
236 print
'APIs are not allowed from the IP '.$ipremote;
237 header(
'HTTP/1.1 503 API not allowed from your IP '.$ipremote);
245if (!empty($reg[1]) && $reg[1] ==
'explorer' && ($reg[2] ==
'/swagger.json' || $reg[2] ==
'/swagger.json/root' || $reg[2] ==
'/resources.json' || $reg[2] ==
'/resources.json/root')) {
248 $listofapis = array();
251 foreach ($modulesdir as $dir) {
253 dol_syslog(
"Scan directory ".$dir.
" for module descriptor files, then search for API files");
256 if (is_resource($handle)) {
257 while (($file = readdir($handle)) !==
false) {
259 if (is_readable($dir.$file) && preg_match(
"/^mod(.*)\.class\.php$/i", $file, $regmod)) {
260 $module = strtolower($regmod[1]);
262 $modulenameforenabled = $module;
263 if ($module ==
'propale') {
264 $modulenameforenabled =
'propal';
265 } elseif ($module ==
'supplierproposal') {
266 $modulenameforenabled =
'supplier_proposal';
267 } elseif ($module ==
'ficheinter') {
268 $modulenameforenabled =
'intervention';
269 } elseif ($module ==
'product' && !isModEnabled(
'product') && isModEnabled(
'service')) {
270 $modulenameforenabled =
'service';
273 dol_syslog(
"Found module file ".$file.
" - module=".$module.
" - modulenameforenabled=".$modulenameforenabled.
" - moduledirforclass=".$moduledirforclass);
277 if (!isModEnabled($modulenameforenabled)) {
288 if (is_resource($handle_part)) {
289 while (($file_searched = readdir($handle_part)) !==
false) {
290 if ($file_searched ==
'api_access.class.php') {
295 if ($file_searched ==
'api_login.class.php' &&
getDolGlobalString(
'API_DISABLE_LOGIN_API')) {
302 if (is_readable($dir_part.$file_searched) && preg_match(
"/^api_(.*)\.class\.php$/i", $file_searched, $regapi)) {
303 $classname = ucwords($regapi[1]);
304 $classname = str_replace(
'_',
'', $classname);
305 require_once $dir_part.$file_searched;
306 if (class_exists($classname.
'Api')) {
308 $listofapis[strtolower($classname.
'Api')] = $classname.
'Api';
309 } elseif (class_exists($classname)) {
311 $listofapis[strtolower($classname)] = $classname;
313 dol_syslog(
"We found an api_xxx file (".$file_searched.
") but class ".$classname.
" does not exists after loading file", LOG_WARNING);
327 foreach ($listofapis as $apiname => $classname) {
328 $api->r->addAPIClass($classname, $apiname);
335if (!empty($reg[1]) && ($reg[1] !=
'explorer' || ($reg[2] !=
'/swagger.json' && $reg[2] !=
'/resources.json' && preg_match(
'/^\/(swagger|resources)\.json\/(.+)$/', $reg[2], $regbis) && $regbis[2] !=
'root'))) {
336 $moduleobject = $reg[1];
337 if ($moduleobject ==
'explorer') {
338 $moduleobject = $regbis[2];
341 $moduleobject = strtolower($moduleobject);
345 dol_syslog(
"Load a dedicated API file moduleobject=".$moduleobject.
" moduledirforclass=".$moduledirforclass);
347 $tmpmodule = $moduleobject;
348 if ($tmpmodule !=
'api') {
349 $tmpmodule = preg_replace(
'/api$/i',
'', $tmpmodule);
351 $classfile = str_replace(
'_',
'', $tmpmodule);
354 if ($moduleobject ==
'supplierproposals') {
355 $classfile =
'supplier_proposals';
357 if ($moduleobject ==
'supplierorders') {
358 $classfile =
'supplier_orders';
360 if ($moduleobject ==
'supplierinvoices') {
361 $classfile =
'supplier_invoices';
363 if ($moduleobject ==
'ficheinter') {
364 $classfile =
'interventions';
366 if ($moduleobject ==
'interventions') {
367 $classfile =
'interventions';
369 if ($moduleobject ==
'eventattendees') {
370 $moduledirforclass =
'eventorganization';
373 $dir_part_file =
dol_buildpath(
'/'.$moduledirforclass.
'/class/api_'.$classfile.
'.class.php', 0, 2);
375 $classname = ucwords($moduleobject);
381 $endpointisallowed =
false;
383 foreach ($listofendpoints as $endpointrule) {
384 $tmparray = explode(
':', $endpointrule);
385 if (($classfile == $tmparray[0] || $classfile.
'api' == $tmparray[0]) && $tmparray[1] == 1) {
386 $endpointisallowed =
true;
391 if (! $endpointisallowed) {
392 dol_syslog(
'The API with endpoint /'.$classfile.
' is forbidden by config API_ENDPOINT_RULES', LOG_WARNING);
393 print
'The API with endpoint /'.$classfile.
' is forbidden by config API_ENDPOINT_RULES';
394 header(
'HTTP/1.1 501 API is forbidden by API_ENDPOINT_RULES');
400 $parameters = array(
'url' => $url,
'ip' =>
getUserRemoteIP(),
'moduleobject' => $moduleobject,
'classfile' => $classfile,
'classname' => $classname);
402 $action = $api->r->requestMethod;
404 $reshook = $hookmanager->executeHooks(
'beforeApiCall', $parameters,
$object, $action);
406 dol_syslog(
'beforeapicall Failed to call hook '.$hookmanager->error, LOG_ERR);
409 dol_syslog(
'Search api file /'.$moduledirforclass.
'/class/api_'.$classfile.
'.class.php => dir_part_file='.$dir_part_file.
', classname='.$classname);
412 if ($dir_part_file) {
413 $res = include_once $dir_part_file;
416 dol_syslog(
'Failed to make include_once '.$dir_part_file, LOG_WARNING);
417 print
'API not found (failed to include API file)';
418 header(
'HTTP/1.1 501 API not found (failed to include API file)');
423 if (class_exists($classname)) {
424 $api->r->addAPIClass($classname);
434$usecompression = (!
getDolGlobalString(
'API_DISABLE_COMPRESSION') && !empty($_SERVER[
'HTTP_ACCEPT_ENCODING']));
435$foundonealgorithm = 0;
436if ($usecompression) {
437 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'br') !==
false && function_exists(
'brotli_compress')) {
438 $foundonealgorithm++;
440 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'bz') !==
false && function_exists(
'bzcompress')) {
441 $foundonealgorithm++;
443 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'gzip') !==
false && function_exists(
'gzencode')) {
444 $foundonealgorithm++;
446 if (!$foundonealgorithm) {
447 $usecompression =
false;
453Luracast\Restler\Defaults::$returnResponse = $usecompression;
457$responsedata = $api->r->handle();
459if (Luracast\Restler\Defaults::$returnResponse) {
461 if (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'br') !==
false && function_exists(
'brotli_compress') && defined(
'BROTLI_TEXT')) {
462 header(
'Content-Encoding: br');
463 $result = brotli_compress($responsedata, 11, constant(
'BROTLI_TEXT'));
464 } elseif (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'bz') !==
false && function_exists(
'bzcompress')) {
465 header(
'Content-Encoding: bz');
466 $result = bzcompress($responsedata, 9);
467 } elseif (strpos($_SERVER[
'HTTP_ACCEPT_ENCODING'],
'gzip') !==
false && function_exists(
'gzencode')) {
468 header(
'Content-Encoding: gzip');
469 $result = gzencode($responsedata, 9);
471 header(
'Content-Encoding: text/html');
472 print
"No compression method found. Try to disable compression by adding API_DISABLE_COMPRESSION=1";
480if (
getDolGlobalInt(
"API_ENABLE_COUNT_CALLS") && $api->r->responseCode == 200) {
483 $userid = DolibarrApiAccess::$user->id;
485 $sql =
"SELECT up.value";
486 $sql .=
" FROM ".MAIN_DB_PREFIX.
"user_param as up";
487 $sql .=
" WHERE up.param = 'API_COUNT_CALL'";
488 $sql .=
" AND up.fk_user = ".((int) $userid);
489 $sql .=
" AND up.entity = ".((int)
$conf->entity);
491 $result = $db->query($sql);
494 $nbrows = $db->num_rows($result);
496 $sql2 =
"INSERT INTO ".MAIN_DB_PREFIX.
"user_param";
497 $sql2 .=
" (fk_user, entity, param, value)";
498 $sql2 .=
" VALUES (".((int) $userid).
", ".((int)
$conf->entity).
", 'API_COUNT_CALL', 1)";
501 $sql2 =
"UPDATE ".MAIN_DB_PREFIX.
"user_param as up";
502 $sql2 .=
" SET up.value = up.value + 1";
503 $sql2 .=
" WHERE up.param = 'API_COUNT_CALL'";
504 $sql2 .=
" AND up.fk_user = ".((int) $userid);
505 $sql2 .=
" AND up.entity = ".((int)
$conf->entity);
508 $result2 = $db->query($sql2);
510 $modeapicall = $updateapi ?
'updating' :
'inserting';
511 dol_syslog(
'Error while '.$modeapicall.
' API_COUNT_CALL for user '.$userid, LOG_ERR);
515 dol_syslog(
'Error on select API_COUNT_CALL for user '.$userid, LOG_ERR);
527$apiMethodInfo = &$api->r->apiMethodInfo;
528$terminateCall =
'_terminate_' . $apiMethodInfo->methodName .
'_' . $api->r->responseFormat->getExtension();
529if (method_exists($apiMethodInfo->className, $terminateCall)) {
534 if (function_exists(
'fastcgi_finish_request')) {
535 fastcgi_finish_request();
539 call_user_func(array(Luracast\Restler\Scope::get($apiMethodInfo->className), $terminateCall), $responsedata);
if( $user->socid > 0) if(! $user->hasRight('accounting', 'chartofaccount')) $object
getModuleDirForApiClass($moduleobject)
Get name of directory where the api_...class.php file is stored.
dolGetModulesDirs($subdir='')
Return list of directories that contain modules.
dol_osencode($str)
Return a string encoded into OS filesystem encoding.
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
dol_buildpath($path, $type=0, $returnemptyifnotfound=0)
Return path of url or filesystem.
getUserRemoteIP($trusted=0)
Return the real IP of remote user.
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
global $conf
The following vars must be defined: $type2label $form $conf, $lang, The following vars may also be de...