NEW: API setup update extrafields from name, elementtype and json (#29273)

* NEW: API setup update extrafields from name, elementtype and json

* default_value

* fix SQL injection

* more SQL injection prevention

* Sanitized

---------

Co-authored-by: Jon Bendtsen <xcodeauthor@jonb.dk>
Co-authored-by: Laurent Destailleur <eldy@destailleur.fr>

htdocs/api/class/api_setup.class.php

@@ -1232,6 +1232,91 @@ class Setup extends DolibarrApi
 		);
 	}
 
+	/**
+	 * Update Extrafield object
+	 *
+	 * @param	string	$attrname		extrafield attrname
+	 * @param	string	$elementtype	extrafield elementtype
+	 * @param	array	$request_data	Request datas
+	 * @return	int						ID of extrafield
+	 *
+	 * @url     PUT		extrafields/{elementtype}/{attrname}
+	 *
+	 * @suppress PhanPluginUnknownArrayMethodParamType  Luracast limitation
+	 *
+	 */
+	public function updateExtrafields($attrname, $elementtype, $request_data = null)
+	{
+		if (!DolibarrApiAccess::$user->admin) {
+			throw new RestException(403, 'Only an admin user can create an extrafield');
+		}
+
+		$extrafields = new ExtraFields($this->db);
+
+		$result = $extrafields->fetch_name_optionals_label($elementtype, false, $attrname);
+		if (!$result) {
+			throw new RestException(404, 'Extrafield not found from attrname and elementtype');
+		}
+
+		foreach ($request_data as $field => $value) {
+			$extrafields->$field = $this->_checkValForAPI($field, $value, $extrafields);
+		}
+
+		// built in validation
+		$enabled = 1; // hardcoded because it seems to always be 1 in every row in the database
+		if ($request_data['entity']) {
+			$entity = $request_data['entity'];
+		} else {
+			throw new RestException(400, "Entity field absent");
+		}
+		if ($request_data['label']) {
+			$label = $request_data['label'];
+		} else {
+			throw new RestException(400, "label field absent");
+		}
+
+		$alwayseditable = $request_data['alwayseditable'];
+		$default_value = $request_data['default_value'];
+		$totalizable = $request_data['totalizable'];
+		$printable = $request_data['printable'];
+		$required = $request_data['required'];
+		$langfile = $request_data['langfile'];
+		$computed = $request_data['computed'];
+		$unique = $request_data['unique'];
+		$param = $request_data['param'];
+		$perms = $request_data['perms'];
+		$size = $request_data['size'];
+		$type = $request_data['type'];
+		$list = $request_data['list'];
+		$help = $request_data['help'];
+		$pos = $request_data['pos'];
+		$moreparams = array();
+
+		dol_syslog(get_class($this).'::updateExtraField', LOG_DEBUG);
+		if ( 0 > $extrafields->updateExtraField($attrname, $label, $type, $pos, $size, $elementtype, $unique, $required, $default_value, $param, $alwayseditable, $perms, $list, $help, $computed, $entity, $langfile, $enabled, $totalizable, $printable, $moreparams)) {
+			throw new RestException(500, 'Error updating extrafield', array_merge(array($extrafields->errno), $extrafields->errors));
+		}
+
+		$sql = "SELECT t.rowid as id";
+		$sql .= " FROM ".MAIN_DB_PREFIX."extrafields as t";
+		$sql .= " WHERE elementtype = '".$this->db->escape($elementtype)."'";
+		$sql .= " AND name = '".$this->db->escape($attrname)."'";
+
+		$resql = $this->db->query($sql);
+		if ($resql) {
+			if ($this->db->num_rows($resql)) {
+				$tab = $this->db->fetch_object($resql);
+				$id = (int) $tab->id;
+			} else {
+				$id = (int) -1;
+			}
+		} else {
+			$id = (int) -2;
+		}
+
+		return $id;
+	}
+
 	/**
 	 * Get the list of towns.
 	 *