diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index 585be857979..1e3d43ed9db 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -28,23 +28,24 @@ use Luracast\Restler\RestException; class DolibarrApiAccess implements iAuthenticate { const REALM = 'Restricted Dolibarr API'; - + /** - * @var array $requires role required by API method user / external / admin + * @var array $requires role required by API method user / external / admin */ public static $requires = array('user','external','admin'); - + /** * @var string $role user role */ public static $role = 'user'; - + /** - * @var User $user Loggued user + * @var User $user Loggued user */ public static $user = ''; - - + + // @codingStandardsIgnoreStart + /** * @return string string to be used with WWW-Authenticate header * @example Basic @@ -52,26 +53,27 @@ class DolibarrApiAccess implements iAuthenticate * @example OAuth */ public function __getWWWAuthenticateString(); - + /** * Check access - * + * * @return boolean */ public function _isAllowed() { + // @codingStandardsIgnoreEnd global $db; $stored_key = ''; - + $userClass = Defaults::$userIdentifierClass; - + if (isset($_GET['api_key'])) { $sql = "SELECT u.login, u.datec, u.api_key, "; $sql.= " u.tms as date_modification, u.entity"; $sql.= " FROM ".MAIN_DB_PREFIX."user as u"; $sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'"; - + if ($db->query($sql)) { if ($db->num_rows($result)) @@ -89,17 +91,17 @@ class DolibarrApiAccess implements iAuthenticate $userClass::setCacheIdentifier($_GET['api_key']); return false; } - + $fuser = new User($db); if(! $fuser->fetch('',$login)) { throw new RestException(503, 'Error when fetching user :'.$fuser->error); } $fuser->getrights(); static::$user = $fuser; - + if($fuser->societe_id) static::$role = 'external'; - + if($fuser->admin) static::$role = 'admin'; } @@ -112,12 +114,19 @@ class DolibarrApiAccess implements iAuthenticate Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess'; return in_array(static::$role, (array) static::$requires) || static::$role == 'admin'; } - + + // @codingStandardsIgnoreStart + public function __getWWWAuthenticateString() + { + return ''; + } + // @codingStandardsIgnoreEnd + /** * Verify access - * - * @param array $m Properties of method - * + * + * @param array $m Properties of method + * * @access private */ public static function verifyAccess(array $m) @@ -125,11 +134,11 @@ class DolibarrApiAccess implements iAuthenticate $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires']) ? $m['class']['DolibarrApiAccess']['properties']['requires'] : false; - - + + return $requires ? static::$role == 'admin' || in_array(static::$role, (array) $requires) : true; - + } } diff --git a/htdocs/public/api/index.php b/htdocs/public/api/index.php index c1203b0c9b1..d5065e45a32 100644 --- a/htdocs/public/api/index.php +++ b/htdocs/public/api/index.php @@ -48,7 +48,7 @@ if (empty($conf->global->MAIN_MODULE_API)) } use Luracast\Restler\Defaults; - +Defaults::setProperty('authenticationMethod','_isAllowed'); $api = new DolibarrApi($db);