lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Verify API access by user to resource

Browse Source 
API authentication mechanism is supposed to be working with internal or external users
This commit is contained in:
jfefe 2015-05-03 14:44:37 +02:00
parent 46ce77c571
commit 47c3724f3d
3 changed files with 50 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
htdocs/api/class/api.class.php
View File

@ -66,17 +66,48 @@ class DolibarrApi {
* Clean sensible object datas
* @var object $object Object to clean
* @return array Array of cleaned object properties
*
*
* @todo use an array for properties to clean
*
*/
protected function cleanObjectDatas($object){
protected function _cleanObjectDatas($object){
unset($object->db);
return $object;
}
/**
* Check user access to a resource
*
* Check access by user to a given resource
*
* @param string $resource element to check
* @param int $resource_id Object ID if we want to check a particular record (optional) is linked to a owned thirdparty (optional).
* @param type $dbtablename 'TableName&SharedElement' with Tablename is table where object is stored. SharedElement is an optional key to define where to check entity. Not used if objectid is null (optional)
* @param string $feature2 Feature to check, second level of permission (optional). Can be or check with 'level1|level2'.
* @param string $dbt_keyfield Field name for socid foreign key if not fk_soc. Not used if objectid is null (optional)
* @param string $dbt_select Field name for select if not rowid. Not used if objectid is null (optional)
* @throws RestException
*/
static function _checkAccessToResource($resource, $resource_id=0, $dbtablename='', $feature2='', $dbt_keyfield='fk_soc', $dbt_select='rowid') {
// Features/modules to check
$featuresarray = array($resource);
if (preg_match('/&/', $resource)) {
$featuresarray = explode("&", $resource);
}
else if (preg_match('/\|/', $resource)) {
$featuresarray = explode("|", $resource);
}
// More subfeatures to check
if (! empty($feature2)) {
$feature2 = explode("|", $feature2);
}
return checkUserAccessToObject(DolibarrApiAccess::$user, $featuresarray,$resource_id,$dbtablename,$feature2,$dbt_keyfield,$dbt_select);
}
}
/**

14
htdocs/api/class/api_access.class.php
View File

@ -26,14 +26,10 @@ class DolibarrApiAccess implements iAuthenticate
public static $role = 'user';
/**
* @var array $user_perms Permission of loggued user
@todo
public static $user_perms = array();
public static $required_perms = '';
* *
* @var User $user Permission of loggued user
*/
public static $user = '';
/**
* Check access
@ -44,8 +40,6 @@ class DolibarrApiAccess implements iAuthenticate
{
global $db;
//@todo hardcoded api_key=>role for brevity
//
$stored_key = '';
$userClass = Defaults::$userIdentifierClass;
@ -82,7 +76,7 @@ class DolibarrApiAccess implements iAuthenticate
throw new RestException(503, 'Error when fetching user :'.$fuser->error);
}
$fuser->getrights();
static::$user_perms = $fuser->rights;
static::$user = $fuser;
if($fuser->societe_id)
static::$role = 'external';

16
htdocs/societe/class/api_thirdparty.class.php
View File

@ -65,13 +65,21 @@ class ThirdpartyApi extends DolibarrApi {
* @throws RestException
*/
function get($id)
{
{
if(! DolibarrApiAccess::$user->rights->societe->lire) {
throw new RestException(401);
}
$result = $this->company->fetch($id);
if( ! $result ) {
throw new RestException(404, 'Thirdparty not found');
}
return $this->cleanObjectDatas($this->company);
if( ! DolibarrApi::_checkAccessToResource('societe',$this->company->id)) {
throw new RestException(401, 'Access not allowed for login '.DolibarrApiAccess::$user->login);
}
return $this->_cleanObjectDatas($this->company);
}
/**
@ -134,7 +142,7 @@ class ThirdpartyApi extends DolibarrApi {
* @return array
* @throws RestException
*/
private function _validate($data)
function _validate($data)
{
$thirdparty = array();
foreach (ThirdpartyApi::$FIELDS as $field) {