From 1ad7ec5ad16512393d7d27055394d72437b91d82 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 12 Dec 2017 13:23:39 +0100
Subject: [PATCH] Test on bad entity

---
 htdocs/api/class/api_login.class.php      | 15 +++++++++++++--
 htdocs/core/login/functions_forceuser.php |  1 +
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/htdocs/api/class/api_login.class.php b/htdocs/api/class/api_login.class.php
index d59e0036423..1273b843dd3 100644
--- a/htdocs/api/class/api_login.class.php
+++ b/htdocs/api/class/api_login.class.php
@@ -57,11 +57,22 @@ class Login
 		if (empty($dolibarr_main_authentication))
 			$dolibarr_main_authentication = 'http,dolibarr';
 		// Authentication mode: forceuser
-		if ($dolibarr_main_authentication == 'forceuser' && empty($dolibarr_auto_user))
-			$dolibarr_auto_user = 'auto';
+		if ($dolibarr_main_authentication == 'forceuser')
+		{
+			if (empty($dolibarr_auto_user)) $dolibarr_auto_user='auto';
+			if ($dolibarr_auto_user != $login)
+			{
+				dol_syslog("Warning: your instance is set to use the automatic forced login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
+				throw new RestException(403, "Your instance is set to use the automatic login '".$dolibarr_auto_user."' that is not the requested login. API usage is forbidden in this mode.");
+			}
+		}
 		// Set authmode
 		$authmode = explode(',', $dolibarr_main_authentication);
 
+		if ($entity != '' && ! is_numeric($entity))
+		{
+			throw new RestException(403, "Bad value for entity, must be the numeric ID of company.");
+		}
 		if ($entity == '') $entity=1;
 
 		include_once DOL_DOCUMENT_ROOT . '/core/lib/security2.lib.php';
diff --git a/htdocs/core/login/functions_forceuser.php b/htdocs/core/login/functions_forceuser.php
index 94201c74ad0..c337a0840b3 100644
--- a/htdocs/core/login/functions_forceuser.php
+++ b/htdocs/core/login/functions_forceuser.php
@@ -44,5 +44,6 @@ function check_user_password_forceuser($usertotest,$passwordtotest,$entitytotest
 
 	if ($_SESSION["dol_loginmesg"]) $login='';
 
+	dol_syslog("functions_forceuser::check_user_password_forceuser ok. forced user = ".$login);
 	return $login;
 }