From 31e5b4786ad2765f340f372940017a29b12bc2f4 Mon Sep 17 00:00:00 2001
From: jfefe <jfefe@aternatik.fr>
Date: Sun, 3 May 2015 01:54:04 +0200
Subject: [PATCH] Fix : verify access method Now we can use tag '@class' into
 PHPDoc block of method or class.

By example: @class  DolibarrApiAccess {@requires user,external}
---
 htdocs/api/class/api.class.php                |  2 +-
 htdocs/api/class/api_access.class.php         | 44 +++++++++++++------
 htdocs/societe/class/api_thirdparty.class.php |  5 ++-
 3 files changed, 35 insertions(+), 16 deletions(-)

diff --git a/htdocs/api/class/api.class.php b/htdocs/api/class/api.class.php
index b2ca9db7bd9..fa9f5c710ec 100644
--- a/htdocs/api/class/api.class.php
+++ b/htdocs/api/class/api.class.php
@@ -74,7 +74,7 @@ class DolibarrApi {
 
 		unset($object->db);
 
-		return array($object);
+		return $object;
     }
     
 }
diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php
index b6b8e6718c2..28334a1212d 100644
--- a/htdocs/api/class/api_access.class.php
+++ b/htdocs/api/class/api_access.class.php
@@ -3,8 +3,8 @@
 use \Luracast\Restler\iAuthenticate;
 use \Luracast\Restler\Resources;
 use \Luracast\Restler\Defaults;
+use Luracast\Restler\RestException;
 
-require_once DOL_DOCUMENT_ROOT.'/user/class/user.class.php';
 
 /**
  * Description of DolibarrApiAccess
@@ -16,15 +16,25 @@ class DolibarrApiAccess implements iAuthenticate
 	const REALM = 'Restricted Dolibarr API';
 	
 	/**
-	 * @var string $requires	role required by API method		user / external / admin	
+	 * @var array $requires	role required by API method		user / external / admin	
 	 */
-	public static $requires = 'user';
+	public static $requires = array('user','external','admin');
 	
 	/**
 	 * @var string $role		user role
 	 */
     public static $role = 'user';
 	
+	/**
+	 * @var array	$user_perms	Permission of loggued user 
+	 @todo
+	public static $user_perms = array();
+	
+	public static $required_perms = '';
+	 * *
+	 */
+	
+	
 	/**
 	 * Check access
 	 * 
@@ -33,15 +43,13 @@ class DolibarrApiAccess implements iAuthenticate
 	public function __isAllowed()
     {
 		global $db;
-		
+
 		//@todo hardcoded api_key=>role for brevity
 		//
 		$stored_key = '';
 		
 		$userClass = Defaults::$userIdentifierClass;
 		
-		// for dev @todo : remove this!
-		static::$role = 'user';
 		
 		if (isset($_GET['api_key'])) {
 			// @todo : check from database
@@ -50,9 +58,8 @@ class DolibarrApiAccess implements iAuthenticate
 			$sql.= " FROM ".MAIN_DB_PREFIX."user as u";
 			$sql.= " WHERE u.api_key = '".$db->escape($_GET['api_key'])."'";
 
-			$result=$db->query($sql);
 			
-			if ($result)
+			if ($db->query($sql))
 			{
 				if ($db->num_rows($result))
 				{
@@ -61,6 +68,9 @@ class DolibarrApiAccess implements iAuthenticate
 					$stored_key = $obj->api_key;
 				}
 			}
+			else {
+				throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
+			}
 
 			if ( $stored_key != $_GET['api_key']) {
 				$userClass::setCacheIdentifier($_GET['api_key']);
@@ -68,7 +78,11 @@ class DolibarrApiAccess implements iAuthenticate
 			}
 			
 			$fuser = new User($db);
-			$result = $fuser->fetch('',$login);
+			if(! $fuser->fetch('',$login)) {
+				throw new RestException(503, 'Error when fetching user :'.$fuser->error);
+			}
+			$fuser->getrights();
+			static::$user_perms = $fuser->rights;
 			
 			if($fuser->societe_id)
 				static::$role = 'external';
@@ -80,10 +94,10 @@ class DolibarrApiAccess implements iAuthenticate
 		{
 			return false;
 		}
-		
+
         $userClass::setCacheIdentifier(static::$role);
         Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
-        return static::$requires == static::$role || static::$role == 'admin';
+        return in_array(static::$role, (array) static::$requires) || static::$role == 'admin';
 	}
 	
 	public function __getWWWAuthenticateString()
@@ -96,12 +110,14 @@ class DolibarrApiAccess implements iAuthenticate
      */
     public static function verifyAccess(array $m)
     {
-        $requires =
-            isset($m['class']['DolibarrApiAccess']['properties']['requires'])
+        $requires = isset($m['class']['DolibarrApiAccess']['properties']['requires'])
                 ? $m['class']['DolibarrApiAccess']['properties']['requires']
                 : false;
+		
+		
         return $requires
-            ? static::$role == 'admin' || static::$role == $requires
+            ? static::$role == 'admin' || in_array(static::$role, (array) $requires)
             : true;
+		
     }
 }
diff --git a/htdocs/societe/class/api_thirdparty.class.php b/htdocs/societe/class/api_thirdparty.class.php
index bc0859decfa..c68b808cb2e 100644
--- a/htdocs/societe/class/api_thirdparty.class.php
+++ b/htdocs/societe/class/api_thirdparty.class.php
@@ -23,7 +23,9 @@
  * API class for thirdparty object
  *
  * @smart-auto-routing false
- * @access protected
+ * @access protected 
+ * @class  DolibarrApiAccess {@requires user,external}
+ * 
  *
  */
 class ThirdpartyApi extends DolibarrApi {
@@ -59,6 +61,7 @@ class ThirdpartyApi extends DolibarrApi {
      * @url	GET thirdparty/{id}
      * @param 	int 	$id ID of thirdparty
      * @return 	array|mixed data without useless information
+	 * 
      * @throws 	RestException
      */
     function get($id)