Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

FIX #yogosha17128

Browse Source
This commit is contained in:
Laurent Destailleur
2023-07-19 04:14:49 +02:00
parent dbe9cc45f9
commit e41f449f95
6 changed files with 27 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
htdocs/api/class/api_access.class.php
View File

@@ -113,7 +113,7 @@ class DolibarrApiAccess implements iAuthenticate
if ($api_key) {
$userentity = 0;
$sql = "SELECT u.login, u.datec, u.api_key, ";
$sql = "SELECT u.login, u.datec, u.api_key,";
$sql .= " u.tms as date_modification, u.entity";
$sql .= " FROM ".MAIN_DB_PREFIX."user as u";
$sql .= " WHERE u.api_key = '".$this->db->escape($api_key)."' OR u.api_key = '".$this->db->escape(dolEncrypt($api_key, '', '', 'dolibarr'))."'";
@@ -140,43 +140,49 @@ class DolibarrApiAccess implements iAuthenticate
throw new RestException(503, 'Error when fetching user api_key :'.$this->db->error_msg);
}
if ($stored_key != $api_key) { // This should not happen since we did a search on api_key
if ($login && $stored_key != $api_key) { // This should not happen since we did a search on api_key
$userClass::setCacheIdentifier($api_key);
return false;
}
$genericmessageerroruser = 'Error user not valid (not found with api key or bad status or bad validity dates) (conf->entity='.$conf->entity.')';
if (!$login) {
throw new RestException(503, 'Error when searching login user from api key');
dol_syslog("functions_isallowed::check_user_api_key Authentication KO for api key: Error when searching login user from api key", LOG_NOTICE);
sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
throw new RestException(401, $genericmessageerroruser);
}
$genericmessageerroruser = 'Error user not valid (not found or bad status or bad validity dates) (conf->entity='.$conf->entity.')';
$fuser = new User($this->db);
$result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity)
if ($result <= 0) {
throw new RestException(503, $genericmessageerroruser);
dol_syslog("functions_isallowed::check_user_api_key Authentication KO for '".$login."': Failed to fetch on entity", LOG_NOTICE);
sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
throw new RestException(401, $genericmessageerroruser);
}
// Check if user status is enabled
if ($fuser->statut != $fuser::STATUS_ENABLED) {
// Status is disabled
dol_syslog("The user has been disabled");
throw new RestException(503, $genericmessageerroruser);
dol_syslog("functions_isallowed::check_user_api_key Authentication KO for '".$login."': The user has been disabled", LOG_NOTICE);
sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
throw new RestException(401, $genericmessageerroruser);
}
// Check if session was unvalidated by a password change
if (($fuser->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $fuser->flagdelsessionsbefore > $_SESSION["dol_logindate"])) {
// Session is no more valid
dol_syslog("The user has a date for session invalidation = ".$fuser->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions.");
throw new RestException(503, $genericmessageerroruser);
dol_syslog("functions_isallowed::check_user_api_key Authentication KO for '".$login."': The user has a date for session invalidation = ".$fuser->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions.");
sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
throw new RestException(401, $genericmessageerroruser);
}
// Check date validity
if ($fuser->isNotIntoValidityDateRange()) {
// User validity dates are no more valid
dol_syslog("The user login has a validity between [".$fuser->datestartvalidity." and ".$fuser->dateendvalidity."], curren date is ".dol_now());
throw new RestException(503, $genericmessageerroruser);
dol_syslog("functions_isallowed::check_user_api_key Authentication KO for '".$login."': The user login has a validity between [".$fuser->datestartvalidity." and ".$fuser->dateendvalidity."], curren date is ".dol_now());
sleep(1); // Anti brut force protection. Must be same delay when user and password are not valid.
throw new RestException(401, $genericmessageerroruser);
}
// User seems valid