dolibarr 24.0.0-beta
api.class.php
1<?php
2/* Copyright (C) 2015 Jean-François Ferry <jfefe@aternatik.fr>
3 * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
4/* Copyright (C) 2015 Jean-François Ferry <jfefe@aternatik.fr>
5 * Copyright (C) 2016 Laurent Destailleur <eldy@users.sourceforge.net>
6 * Copyright (C) 2020-2025 Frédéric France <frederic.france@free.fr>
7 * Copyright (C) 2024-2025 MDW <mdeweerd@users.noreply.github.com>
8 * Copyright (C) 2025-2026 William Mead <william@m34d.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program. If not, see <https://www.gnu.org/licenses/>.
22 */
23
24use Luracast\Restler\Restler;
25use Luracast\Restler\Defaults;
26use Luracast\Restler\RestException;
27
28require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
29
30
34class DolibarrApi
35{
39 protected $db;
40
44 public $r;
45
53 public function __construct($db, $cachedir = '', $refreshCache = false)
54 {
55 global $conf, $dolibarr_main_url_root;
56
57 if (empty($cachedir)) {
58 $cachedir = $conf->api->dir_temp;
59 }
60 Defaults::$cacheDirectory = $cachedir;
61
62 $this->db = $db;
63
64 $production_mode = getDolGlobalBool('API_PRODUCTION_MODE');
65
66 if ($production_mode) {
67 // Create the directory Defaults::$cacheDirectory if it does not exist. If dir does not exist, using production_mode generates an error 500.
68 include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
69 if (!dol_is_dir(Defaults::$cacheDirectory)) {
70 dol_mkdir(Defaults::$cacheDirectory, DOL_DATA_ROOT);
71 }
72 if (getDolGlobalString('MAIN_API_DEBUG')) {
73 dol_syslog("Debug API construct::cacheDirectory=".Defaults::$cacheDirectory, LOG_DEBUG, 0, '_api');
74 }
75 }
76
77 $this->r = new Restler($production_mode, $refreshCache);
78
79 $urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
80 $urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
81
82 $urlwithouturlrootautodetect = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim(DOL_MAIN_URL_ROOT));
83 $urlwithrootautodetect = $urlwithouturlroot.DOL_URL_ROOT; // This is to use local domain autodetected by dolibarr from url
84
85 $this->r->setBaseUrls($urlwithouturlroot, $urlwithouturlrootautodetect);
86 $this->r->setAPIVersion(1);
87 //$this->r->setSupportedFormats('json');
88 //$this->r->setSupportedFormats('jsonFormat');
89 }
90
91 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
101 protected function _checkValForAPI($field, $value, $object)
102 {
103 // phpcs:enable
104 if (!is_array($value)) {
105 // Make protected values for forbidden properties
106 /* Disabled. A protection exists to check that ->entity is same than the HTTP header DOLAPIENTITY
107 if (in_array($field, array('entity'))) {
108 throw new RestException(400, 'Parameter '.$field.' is not allowed in request. To work on a different entity, you must set the entity into the HTTP header "DOLAPIENTITY: idOfEntity"');
109 }*/
110 if (in_array($field, array(
111 'db', 'table_element', 'table_rowid', 'table_ref_field', 'table_element_line', 'element', 'fk_element', 'element_for_permission', 'class_element_line',
112 'fields', 'TRIGGER_PREFIX', 'picto',
113 'restrictiononfksoc', 'ismultientitymanaged', 'isextrafieldmanaged',
114 'module', 'error', 'errorhidden', 'errors', 'warning', 'warnings', 'validateFieldsErrors',
115 'oldcopy', 'oldref', 'newref', 'context',
116 'actionmsg', 'actionmsg2', 'thirdparty', 'user',
117 'tpl', 'extraparams',
118 'childtables', 'childtablesoncascade'
119 ))) {
120 throw new RestException(400, 'Parameter '.$field.' is not allowed in request');
121 }
122 if (in_array($field, array('specimen'))) {
123 // Allowed but not used
124 dol_syslog('Debug API _checkValForAPI, found use of field specimen', LOG_DEBUG, 0, '_api');
125 }
126
127 // Sanitize the value using its type declared into ->fields of $object
128 if (!empty($object->fields) && !empty($object->fields[$field]) && !empty($object->fields[$field]['type'])) {
129 if (strpos($object->fields[$field]['type'], 'int') || strpos($object->fields[$field]['type'], 'double') || in_array($object->fields[$field]['type'], array('real', 'price', 'stock'))) {
130 return sanitizeVal($value, 'int');
131 }
132 if ($object->fields[$field]['type'] == 'html') {
133 return sanitizeVal($value, 'restricthtml');
134 }
135 if ($object->fields[$field]['type'] == 'select') {
136 // Check values are in the list of possible 'options'
137 return sanitizeVal($value, 'alphanohtml');
138 }
139 if ($object->fields[$field]['type'] == 'sellist' || $object->fields[$field]['type'] == 'checkbox') {
140 return sanitizeVal($value, 'alphanohtml');
141 }
142 if ($object->fields[$field]['type'] == 'boolean' || $object->fields[$field]['type'] == 'radio') {
143 return sanitizeVal($value, 'alphanohtml');
144 }
145 if ($object->fields[$field]['type'] == 'email') {
146 return sanitizeVal($value, 'email');
147 }
148 if ($object->fields[$field]['type'] == 'password') {
149 return sanitizeVal($value, 'password');
150 }
151 // Others will use 'alphanohtml'
152 }
153
154 // In case of a field with unknown type (legacy code), we use other tricks to guess a more accurate type
155
156 // We try to use its name to have a chance to sanitize it
157 if (preg_match('/^fk_/i', $field)) {
158 // We accept only integer
159 return sanitizeVal($value, 'int');
160 }
161 if (in_array($field, array('note', 'note_private', 'note_public', 'desc', 'description'))) {
162 return sanitizeVal($value, 'restricthtml');
163 }
164
165 return sanitizeVal($value, 'alphanohtml');
166 } else { // Example when $field = 'extrafields' and $value = content of $object->array_options
167 $newarrayvalue = array();
168 foreach ($value as $tmpkey => $tmpvalue) {
169 $newarrayvalue[$tmpkey] = $this->_checkValForAPI($tmpkey, $tmpvalue, $object);
170 }
171
172 return $newarrayvalue;
173 }
174 }
175
176 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
185 protected function _checkValExtrafieldsForAPI($field, $value, $object)
186 {
187 global $extrafields;
188
189 // phpcs:enable
190 if (!is_array($value)) {
191 // Sanitize the value using its type declared into ->fields of $object
192 $typeOfExtraField = '';
193 if (!empty($extrafields->attributes) && !empty($extrafields->attributes[$object->table_element])
194 && !empty($extrafields->attributes[$object->table_element]['type'])
195 && !empty($extrafields->attributes[$object->table_element]['type'][$field])) {
196 $typeOfExtraField = $extrafields->attributes[$object->table_element]['type'][$field];
197 }
198
199 if ($typeOfExtraField) {
200 if (strpos($typeOfExtraField, 'int') || strpos($typeOfExtraField, 'double') || in_array($typeOfExtraField, array('real', 'price', 'stock'))) {
201 return sanitizeVal($value, 'int');
202 }
203 if ($typeOfExtraField == 'html') {
204 return sanitizeVal($value, 'restricthtml');
205 }
206 if ($typeOfExtraField == 'select') {
207 // TODO Check values are in the list of possible 'options'
208 return sanitizeVal($value, 'alphanohtml');
209 }
210 if ($typeOfExtraField == 'sellist' || $typeOfExtraField == 'checkbox') {
211 return sanitizeVal($value, 'alphanohtml');
212 }
213 if ($typeOfExtraField == 'boolean' || $typeOfExtraField == 'radio') {
214 return sanitizeVal($value, 'alphanohtml');
215 }
216 if ($typeOfExtraField == 'email') {
217 return sanitizeVal($value, 'email');
218 }
219 if ($typeOfExtraField == 'password') {
220 return sanitizeVal($value, 'password');
221 }
222 // Others will use 'alphanohtml'
223 }
224
225 return sanitizeVal($value, 'alphanohtml');
226 } else { // Example when $field = 'extrafields' and $value = content of $object->array_options
227 $newarrayvalue = array();
228 foreach ($value as $tmpkey => $tmpvalue) {
229 $newarrayvalue[$tmpkey] = $this->_checkValExtrafieldsForAPI($tmpkey, $tmpvalue, $object);
230 }
231
232 return $newarrayvalue;
233 }
234 }
235
236 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
248 protected function _filterObjectProperties($object, $properties)
249 {
250 // phpcs:enable
251 // If properties is empty, we return all properties
252 if (empty($properties)) {
253 return $object;
254 }
255
256 // Copy of exploded array for efficiency
257 $arr_properties = explode(',', $properties);
258 $magic_properties = array();
259 $real_properties = get_object_vars($object);
260
261 // Unsetting real properties may unset magic properties.
262 // We keep a copy of the requested magic properties
263 foreach ($arr_properties as $key) {
264 if (!array_key_exists($key, $real_properties)) {
265 // Not a real property,
266 // check if $key is a magic property (we want to keep '$obj->$key')
267 if (property_exists($object, $key) && isset($object->$key)) {
268 $magic_properties[$key] = $object->$key;
269 }
270 }
271 }
272
273 // Filter real properties (may indirectly unset magic properties)
274 foreach (get_object_vars($object) as $key => $value) {
275 if (!in_array($key, $arr_properties)) {
276 unset($object->$key);
277 }
278 }
279
280 // Restore the magic properties
281 foreach ($magic_properties as $key => $value) {
282 $object->$key = $value;
283 }
284
285 return $object;
286 }
287
288 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
299 protected function _cleanObjectDatas($object)
300 {
301 // phpcs:enable
302 // Remove $db object property for object
303 unset($object->db);
304 unset($object->isextrafieldmanaged);
305 unset($object->ismultientitymanaged);
306 unset($object->restrictiononfksoc);
307 unset($object->table_rowid);
308 unset($object->pass);
309 unset($object->pass_indatabase);
310
311 // Remove linkedObjects. We should already have and keep only linkedObjectsIds that avoid huge responses
312 unset($object->linkedObjects);
313 //unset($object->lines[$i]->linked_objects); // This is the array to create linked object during create
314
315 unset($object->fields);
316 unset($object->oldline);
317
318 unset($object->error);
319 unset($object->errors);
320 unset($object->errorhidden);
321 unset($object->warning);
322 unset($object->warnings);
323 unset($object->TRIGGER_PREFIX);
324
325 unset($object->ref_previous);
326 unset($object->ref_next);
327 unset($object->imgWidth);
328 unset($object->imgHeight);
329 unset($object->barcode_type_code);
330 unset($object->barcode_type_label);
331
332 unset($object->mode_reglement); // We use mode_reglement_id now
333 unset($object->cond_reglement); // We use cond_reglement_id now
334 unset($object->note); // We use note_public or note_private now
335 unset($object->contact); // We use contact_id now
336 unset($object->thirdparty); // We use thirdparty_id or fk_soc or socid now
337
338 unset($object->project); // Should be fk_project
339 unset($object->fk_projet); // Should be fk_project
340 unset($object->author); // Should be fk_user_author
341 unset($object->timespent_old_duration);
342 unset($object->timespent_id);
343 unset($object->timespent_duration);
344 unset($object->timespent_date);
345 unset($object->timespent_datehour);
346 unset($object->timespent_withhour);
347 unset($object->timespent_fk_user);
348 unset($object->timespent_note);
349 unset($object->fk_delivery_address);
350 unset($object->fk_multicurrency);
351 //unset($object->model_pdf);
352 unset($object->sendtoid);
353 unset($object->name_bis);
354 unset($object->newref);
355 unset($object->oldref);
356 unset($object->alreadypaid);
357 unset($object->openid);
358 unset($object->fk_bank);
359 unset($object->showphoto_on_popup);
360 unset($object->nb);
361 unset($object->nbphoto);
362 unset($object->output);
363 unset($object->tpl);
364 //unset($object->libelle);
365
366 unset($object->stats_propale);
367 unset($object->stats_commande);
368 unset($object->stats_contrat);
369 unset($object->stats_facture);
370 unset($object->stats_commande_fournisseur);
371 unset($object->stats_reception);
372 unset($object->stats_mrptoconsume);
373 unset($object->stats_mrptoproduce);
374
375 unset($object->fieldsforcombobox);
376 unset($object->regeximgext);
377
378 unset($object->skip_update_total);
379 unset($object->context);
380 unset($object->next_prev_filter);
381
382 unset($object->region);
383 unset($object->region_code);
384 unset($object->country);
385 unset($object->state);
386 unset($object->state_code);
387 unset($object->departement);
388 unset($object->departement_code);
389
390 unset($object->libelle_statut);
391 unset($object->libelle_paiement);
392 unset($object->labelStatus);
393 unset($object->labelStatusShort);
394
395 unset($object->actionmsg);
396 unset($object->actionmsg2);
397
398 unset($object->prefix_comm);
399
400 if (!isset($object->table_element) || ! in_array($object->table_element, array('expensereport_det', 'ticket'))) {
401 unset($object->comments);
402 }
403
404 unset($object->module);
405 unset($object->origin_object);
406 unset($object->origin);
407 unset($object->element);
408 unset($object->element_for_permission);
409 unset($object->fk_element);
410 unset($object->table_element);
411 unset($object->table_element_line);
412 unset($object->class_element_line);
413 unset($object->picto);
414 unset($object->linked_objects);
415
416 // Remove the $oldcopy property because it is not supported by the JSON
417 // encoder. The following error is generated when trying to serialize
418 // it: "Error encoding/decoding JSON: Type is not supported"
419 // Note: Event if this property was correctly handled by the JSON
420 // encoder, it should be ignored because keeping it would let the API
421 // have a very strange behavior: calling PUT and then GET on the same
422 // resource would give different results:
423 // PUT /objects/{id} -> returns object with oldcopy = previous version of the object
424 // GET /objects/{id} -> returns object with oldcopy empty
425 unset($object->oldcopy);
426
427 // If object has lines, remove $db property
428 if (isset($object->lines) && is_array($object->lines) && count($object->lines) > 0) {
429 $nboflines = count($object->lines);
430 for ($i = 0; $i < $nboflines; $i++) {
431 $this->_cleanObjectDatas($object->lines[$i]);
432
433 unset($object->lines[$i]->contact);
434 unset($object->lines[$i]->contact_id);
435 unset($object->lines[$i]->country);
436 unset($object->lines[$i]->country_id);
437 unset($object->lines[$i]->country_code);
438 unset($object->lines[$i]->deposit_percent);
439 unset($object->lines[$i]->mode_reglement_id);
440 unset($object->lines[$i]->mode_reglement_code);
441 unset($object->lines[$i]->mode_reglement);
442 unset($object->lines[$i]->cond_reglement_id);
443 unset($object->lines[$i]->cond_reglement_supplier_id);
444 unset($object->lines[$i]->cond_reglement_code);
445 unset($object->lines[$i]->cond_reglement);
446 unset($object->lines[$i]->fk_delivery_address);
447 unset($object->lines[$i]->fk_projet);
448 unset($object->lines[$i]->fk_project);
449
450 unset($object->lines[$i]->thirdparty);
451 unset($object->lines[$i]->user);
452 unset($object->lines[$i]->product);
453
454 unset($object->lines[$i]->model_pdf);
455 unset($object->lines[$i]->note_public);
456 unset($object->lines[$i]->note_private);
457 unset($object->lines[$i]->fk_incoterms);
458 unset($object->lines[$i]->label_incoterms);
459 unset($object->lines[$i]->location_incoterms);
460 unset($object->lines[$i]->name);
461 unset($object->lines[$i]->lastname);
462 unset($object->lines[$i]->firstname);
463 unset($object->lines[$i]->civility_id);
464 unset($object->lines[$i]->fk_multicurrency);
465 unset($object->lines[$i]->multicurrency_code);
466 unset($object->lines[$i]->shipping_method_id);
467 }
468 }
469
470 if (!empty($object->thirdparty) && is_object($object->thirdparty)) {
471 $this->_cleanObjectDatas($object->thirdparty);
472 }
473
474 if (!empty($object->product) && is_object($object->product)) {
475 $this->_cleanObjectDatas($object->product);
476 }
477
478 return $object;
479 }
480
481 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
493 protected static function _checkAccessToResource($resource, $resource_id = 0, $dbtablename = '', $feature2 = '', $dbt_keyfield = 'fk_soc', $dbt_select = 'rowid')
494 {
495 // phpcs:enable
496 // Features/modules to check
497 $featuresarray = array($resource);
498 if (preg_match('/&/', $resource)) {
499 $featuresarray = explode("&", $resource);
500 } elseif (preg_match('/\|/', $resource)) {
501 $featuresarray = explode("|", $resource);
502 }
503
504 // More subfeatures to check
505 if (!empty($feature2)) {
506 $feature2 = explode("|", $feature2);
507 }
508
509 return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray, $resource_id, $dbtablename, $feature2, $dbt_keyfield, $dbt_select);
510 }
511
512 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
521 protected function _checkFilters($sqlfilters, &$error = '')
522 {
523 // phpcs:enable
524 $firstandlastparenthesis = 0;
525 return dolCheckFilters($sqlfilters, $error, $firstandlastparenthesis);
526 }
527
528 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.ScopeNotCamelCaps
529 // phpcs:disable PEAR.NamingConventions.ValidFunctionName.PublicUnderscore
539 protected static function _forge_criteria_callback($matches)
540 {
541 return dolForgeSQLCriteriaCallback($matches);
542 }
543}
$object
if(! $sortfield) if(! $sortorder) $object
Definition account.php:100
$dolibarr_main_url_root
global $dolibarr_main_url_root
Definition clicktodial.php:135
DolibarrApi
Class for API REST v1.
Definition api.class.php:35
DolibarrApi\__construct
__construct($db, $cachedir='', $refreshCache=false)
Constructor.
Definition api.class.php:53
DolibarrApi\_checkValExtrafieldsForAPI
_checkValExtrafieldsForAPI($field, $value, $object)
Check and convert a string depending on its type/name.
Definition api.class.php:185
DolibarrApi\_filterObjectProperties
_filterObjectProperties($object, $properties)
Filter properties that will be returned on object.
Definition api.class.php:248
DolibarrApi\_checkAccessToResource
static _checkAccessToResource($resource, $resource_id=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid')
Check access by user to a given resource.
Definition api.class.php:493
DolibarrApi\_checkFilters
_checkFilters($sqlfilters, &$error='')
Return if a $sqlfilters parameter is valid Function no more used.
Definition api.class.php:521
DolibarrApi\_checkValForAPI
_checkValForAPI($field, $value, $object)
Check and convert a string depending on its type/name.
Definition api.class.php:101
DolibarrApi\_cleanObjectDatas
_cleanObjectDatas($object)
Clean sensitive object data @phpstan-template T.
Definition api.class.php:299
DolibarrApi\_forge_criteria_callback
static _forge_criteria_callback($matches)
Function to forge a SQL criteria from a Generic filter string.
Definition api.class.php:539
$conf
if(!isModEnabled('ai')||!getDolGlobalString('AI_ASSISTANT_ENABLED')) global $conf
The main.inc.php has been included so the following variable are now defined:
Definition execute_tool.php:50
dol_is_dir
dol_is_dir($folder)
Test if filename is a directory.
Definition files.lib.php:587
getDolGlobalBool
getDolGlobalBool($key, $default=false)
Return a Dolibarr global constant boolean value.
Definition functions.lib.php:350
getDolGlobalString
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
Definition functions.lib.php:286
sanitizeVal
sanitizeVal($out='', $check='alphanohtml', $filter=null, $options=null)
Return a sanitized or empty value after checking value against a rule.
Definition functions.lib.php:1360
dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition functions.lib.php:2754
dol_mkdir
dol_mkdir($dir, $dataroot='', $newmask='')
Creation of a directory (this can create recursive subdir)
Definition functions.lib.php:8938
checkUserAccessToObject
checkUserAccessToObject($user, array $featuresarray, $object=0, $tableandshare='', $feature2='', $dbt_keyfield='', $dbt_select='rowid', $parenttableforentity='')
Check that access by a given user to an object is ok.
Definition security.lib.php:718
Generated on Mon Jun 22 2026 21:04:33 for dolibarr by Doxygen 1.11.0