From be949278ff15c96120e31dfbe03c4f73ff9d9e5b Mon Sep 17 00:00:00 2001 From: yannis Date: Wed, 9 Jul 2025 11:15:07 +0200 Subject: [PATCH] feat: cant access document of entity if different of token entity --- htdocs/api/class/api_access.class.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index e653baaf832..641b30d0d38 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -95,6 +95,7 @@ class DolibarrApiAccess implements iAuthenticate $login = ''; $stored_key = ''; + $use_api = ''; $userClass = Defaults::$userIdentifierClass; @@ -133,7 +134,7 @@ class DolibarrApiAccess implements iAuthenticate if ($api_key) { $userentity = 0; - $sql = "SELECT u.login, u.api_key as use_api, oat.token as api_key, oat.entity"; + $sql = "SELECT u.login, u.api_key as use_api, u.entity, oat.token as api_key, oat.entity as token_entity"; $sql .= " FROM ".MAIN_DB_PREFIX."oauth_token AS oat"; $sql .= " JOIN ".MAIN_DB_PREFIX."user AS u ON u.rowid = oat.fk_user"; $sql .= " WHERE oat.token = '".$this->db->escape($api_key)."'"; @@ -148,6 +149,7 @@ class DolibarrApiAccess implements iAuthenticate $login = $obj->login; $stored_key = dolDecrypt($obj->api_key); $userentity = $obj->entity; + $tokenentity = $obj->token_entity; $use_api = $obj->use_api; if (!defined("DOLENTITY") && $conf->entity != ($obj->entity ? $obj->entity : 1)) { // If API was not forced with HTTP_DOLENTITY, and user is on another entity, so we reset entity to entity of user @@ -156,6 +158,9 @@ class DolibarrApiAccess implements iAuthenticate dol_syslog("Entity was not set on http header with HTTP_DOLAPIENTITY (recommended for performance purpose), so we switch now on entity of user (".$conf->entity.") and we have to reload configuration.", LOG_WARNING); $conf->setValues($this->db); } + if ($conf->entity != ($tokenentity ? $tokenentity : 1)) { + throw new RestException(401, 'Forbidden'); + } } elseif ($nbrows > 1) { throw new RestException(503, 'Error when fetching user api_key : More than 1 user with this apikey'); }