Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Fix encryption of api_key

Browse Source
This commit is contained in:
Laurent Destailleur
2023-03-13 12:48:25 +01:00
parent 80678cfcb9
commit d369a640de
5 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
htdocs/api/class/api_access.class.php
View File

@@ -113,15 +113,15 @@ class DolibarrApiAccess implements iAuthenticate
$sql = "SELECT u.login, u.datec, u.api_key, ";
$sql .= " u.tms as date_modification, u.entity";
$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
$sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."'";
// TODO Check if 2 users has same API key.
$sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."' OR u.api_key = '".$this->db->escape(dolEncrypt($api_key, '', '', 'dolibarr'))."'";
$result = $this->db->query($sql);
if ($result) {
if ($this->db->num_rows($result)) {
$nbrows = $this->db->num_rows($result);
if ($nbrows == 1) {
$obj = $this->db->fetch_object($result);
$login = $obj->login;
$stored_key = $obj->api_key;
$stored_key = dolDecrypt($obj->api_key);
$userentity = $obj->entity;
if (!defined("DOLENTITY") && $conf->entity != ($obj->entity ? $obj->entity : 1)) { // If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user
@@ -130,6 +130,8 @@ class DolibarrApiAccess implements iAuthenticate
dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommanded for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING);
$conf->setValues($this->db);
}
} elseif ($nbrows > 1) {
throw new RestException(503, 'Error when fetching user api_key : More than 1 user with this apikey');
}
} else {
throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg);