NEW Can restrict API usage to some IP only
This commit is contained in:
Laurent Destailleur
parent
ac1203fce3
commit
2147d505c3
@ -78,6 +78,12 @@ if ($action == 'setproductionmode')
|
||||
}
|
||||
}
|
||||
|
||||
if ($action == 'save')
|
||||
{
|
||||
dolibarr_set_const($db, 'API_RESTICT_ON_IP', GETPOST('API_RESTICT_ON_IP', 'alpha'));
|
||||
}
|
||||
|
||||
|
||||
dol_mkdir(DOL_DATA_ROOT.'/api/temp'); // May have been deleted by a purge
|
||||
|
||||
|
||||
@ -93,37 +99,50 @@ print load_fiche_titre($langs->trans("ApiSetup"), $linkback, 'title_setup');
|
||||
print $langs->trans("ApiDesc")."<br>\n";
|
||||
print "<br>\n";
|
||||
|
||||
//print '<form name="apisetupform" action="'.$_SERVER["PHP_SELF"].'" method="post">';
|
||||
print '<form method="POST" action="'.$_SERVER["PHP_SELF"].'">';
|
||||
print '<input type="hidden" name="token" value="'.$_SESSION['newtoken'].'">';
|
||||
print '<input type="hidden" name="action" value="save">';
|
||||
|
||||
print '<table class="noborder" width="100%">';
|
||||
|
||||
print '<tr class="liste_titre">';
|
||||
print "<td>".$langs->trans("Parameter")."</td>";
|
||||
print '<td align="center">'.$langs->trans("Value")."</td>";
|
||||
print '<td>'.$langs->trans("Value")."</td>";
|
||||
print "<td> </td>";
|
||||
print "</tr>";
|
||||
|
||||
print '<tr class="impair">';
|
||||
print '<tr class="oddeven">';
|
||||
print '<td>'.$langs->trans("ApiProductionMode").'</td>';
|
||||
$production_mode=(empty($conf->global->API_PRODUCTION_MODE)?false:true);
|
||||
if ($production_mode)
|
||||
{
|
||||
print '<td align="center"><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=0">';
|
||||
print '<td><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=0">';
|
||||
print img_picto($langs->trans("Activated"), 'switch_on');
|
||||
print '</a></td>';
|
||||
}
|
||||
else
|
||||
{
|
||||
print '<td align="center"><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=1">';
|
||||
print '<td><a class="reposition" href="'.$_SERVER['PHP_SELF'].'?action=setproductionmode&value='.($i+1).'&status=1">';
|
||||
print img_picto($langs->trans("Disabled"), 'switch_off');
|
||||
print '</a></td>';
|
||||
}
|
||||
print '<td> </td>';
|
||||
print '</tr>';
|
||||
|
||||
print '<tr class="oddeven">';
|
||||
print '<td>'.$langs->trans("RestrictApiToIps").'</td>';
|
||||
print '<td><input type="text" name="API_RESTICT_ON_IP" value="'.dol_escape_htmltag($conf->global->API_RESTICT_ON_IP).'"></td>';
|
||||
print '<td>';
|
||||
print '<input type="submit" class="button" name="save" value="'.dol_escape_htmltag($langs->trans("Save")).'"></td>';
|
||||
print '</td>';
|
||||
print '</tr>';
|
||||
|
||||
print '</table>';
|
||||
print '<br><br>';
|
||||
|
||||
print '</form>';
|
||||
|
||||
|
||||
// Define $urlwithroot
|
||||
$urlwithouturlroot=preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
|
||||
$urlwithroot=$urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
|
||||
|
||||
@ -206,6 +206,21 @@ if (! empty($reg[1]) && $reg[1] == 'explorer' && ($reg[2] == '/swagger.json' ||
|
||||
// Call one APIs or one definition of an API
|
||||
if (! empty($reg[1]) && ($reg[1] != 'explorer' || ($reg[2] != '/swagger.json' && $reg[2] != '/resources.json' && preg_match('/^\/(swagger|resources)\.json\/(.+)$/', $reg[2], $regbis) && $regbis[2] != 'root')))
|
||||
{
|
||||
// Restrict API to some IPs
|
||||
if (! empty($conf->global->API_RESTICT_ON_IP))
|
||||
{
|
||||
$allowedip=explode(' ', $conf->global->API_RESTICT_ON_IP);
|
||||
$ipremote = getUserRemoteIP();
|
||||
if (! in_array($ipremote, $allowedip))
|
||||
{
|
||||
dol_syslog('Remote ip is '.$ipremote.', not into list '.$conf->global->API_RESTICT_ON_IP);
|
||||
print 'API not allowed from the IP '.$ipremote;
|
||||
header('HTTP/1.1 503 API not allowed from your IP '.$ipremote);
|
||||
//print $conf->global->API_RESTICT_ON_IP;
|
||||
exit(0);
|
||||
}
|
||||
}
|
||||
|
||||
$module = $reg[1];
|
||||
if ($module == 'explorer') // If we call page to explore details of a service
|
||||
{
|
||||
|
||||
@ -1932,3 +1932,4 @@ DeleteEmailCollector=Delete email collector
|
||||
ConfirmDeleteEmailCollector=Are you sure you want to delete this email collector?
|
||||
RecipientEmailsWillBeReplacedWithThisValue=Recipient emails will be always replaced with this value
|
||||
AtLeastOneDefaultBankAccountMandatory=At least 1 default bank account must be defined
|
||||
RestrictApiToIps=Allow available APIs to some host IP only (wildcard not allowed, use space between values). Empty means every hosts can use the available APIs.
|
||||
Loading…
Reference in New Issue
Block a user