Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-07 16:41:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

Factorize code to know if a parameter is used to store a secret

Browse Source
This commit is contained in:
Laurent Destailleur
2020-10-05 12:13:06 +02:00
parent 8a079cf716
commit cfc3c01815
5 changed files with 40 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
htdocs/api/class/api_setup.class.php
View File

@@ -66,6 +66,10 @@ class Setup extends DolibarrApi
{
$list = array();
if (!DolibarrApiAccess::$user->rights->commande->lire) {
throw new RestException(401);
}
$sql = "SELECT rowid, code, libelle as label, module";
$sql .= " FROM ".MAIN_DB_PREFIX."c_input_method as t";
$sql .= " WHERE t.active = ".$active;
@@ -127,6 +131,10 @@ class Setup extends DolibarrApi
{
$list = array();
if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
throw new RestException(401);
}
$sql = "SELECT id, code, type, libelle as label, module";
$sql .= " FROM ".MAIN_DB_PREFIX."c_paiement as t";
$sql .= " WHERE t.entity IN (".getEntity('c_paiement').")";
@@ -468,6 +476,10 @@ class Setup extends DolibarrApi
{
$list = array();
if (!DolibarrApiAccess::$user->rights->commande->lire) {
throw new RestException(401);
}
$sql = "SELECT rowid, code, label";
$sql .= " FROM ".MAIN_DB_PREFIX."c_availability as t";
$sql .= " WHERE t.active = ".$active;
@@ -960,6 +972,10 @@ class Setup extends DolibarrApi
{
$list = array();
if (!DolibarrApiAccess::$user->admin) {
throw new RestException(401, 'Only an admin user can get list of extrafields');
}
if ($type == 'thirdparty') $type = 'societe';
if ($type == 'contact') $type = 'socpeople';
@@ -1100,6 +1116,10 @@ class Setup extends DolibarrApi
{
$list = array();
if (!DolibarrApiAccess::$user->rights->propal->lire && !DolibarrApiAccess::$user->rights->commande->lire && !DolibarrApiAccess::$user->rights->facture->lire) {
throw new RestException(401);
}
$sql = "SELECT rowid as id, code, sortorder, libelle as label, libelle_facture as descr, type_cdr, nbjour, decalage, module";
$sql .= " FROM ".MAIN_DB_PREFIX."c_payment_term as t";
$sql .= " WHERE t.entity IN (".getEntity('c_payment_term').")";
@@ -1545,15 +1565,15 @@ class Setup extends DolibarrApi
global $conf;
if (!DolibarrApiAccess::$user->admin
&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_ADMIN_CHECK)) {
throw new RestException(403, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_ADMIN_CHECK');
&& (empty($conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ) || DolibarrApiAccess::$user->login != $conf->global->API_LOGINS_ALLOWED_FOR_CONST_READ)) {
throw new RestException(403, 'Error API open to admin users only or to the users with logins defined into constant API_LOGINS_ALLOWED_FOR_CONST_READ');
}
if (!preg_match('/^[a-zA-Z0-9_]+$/', $constantname) || !isset($conf->global->$constantname)) {
throw new RestException(404, 'Error Bad or unknown value for constantname');
}
if (preg_match('/(_pass|_pw|password|secret|_key|key$)/i', $constantname)) {
throw new RestException(403, 'Forbidden');
if (isASecretKey($constantname)) {
throw new RestException(403, 'Forbidden. This parameter cant be read with APIs');
}
return $conf->global->$constantname;
@@ -1578,7 +1598,7 @@ class Setup extends DolibarrApi
if (!DolibarrApiAccess::$user->admin
&& (empty($conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK) || DolibarrApiAccess::$user->login != $conf->global->API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK))
{
throw new RestException(503, 'Error API open to admin users only or to the login user defined with constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
throw new RestException(503, 'Error API open to admin users only or to the users with logins defined into constant API_LOGIN_ALLOWED_FOR_INTEGRITY_CHECK');
}
require_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';