lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix API when using an API key for a user in another entity

Browse Source
This commit is contained in:
Laurent Destailleur 2017-10-16 16:23:50 +02:00
parent bec985a551
commit a4b4eab2ae
1 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
htdocs/api/class/api_access.class.php
View File

@ -69,7 +69,7 @@ class DolibarrApiAccess implements iAuthenticate
*/ */
public function __isAllowed() public function __isAllowed()
{ {
global $db; global $conf, $db;
$login = ''; $login = '';
$stored_key = ''; $stored_key = '';
@ -100,11 +100,14 @@ class DolibarrApiAccess implements iAuthenticate
if ($api_key) if ($api_key)
{ {
$userentity = 0;
$sql = "SELECT u.login, u.datec, u.api_key, "; $sql = "SELECT u.login, u.datec, u.api_key, ";
$sql.= " u.tms as date_modification, u.entity"; $sql.= " u.tms as date_modification, u.entity";
$sql.= " FROM ".MAIN_DB_PREFIX."user as u"; $sql.= " FROM ".MAIN_DB_PREFIX."user as u";
$sql.= " WHERE u.api_key = '".$db->escape($api_key)."'"; $sql.= " WHERE u.api_key = '".$db->escape($api_key)."'";
// TODO Check if 2 users has same API key.
$result = $db->query($sql); $result = $db->query($sql);
if ($result) if ($result)
{ {
@ -113,24 +116,31 @@ class DolibarrApiAccess implements iAuthenticate
$obj = $db->fetch_object($result); $obj = $db->fetch_object($result);
$login = $obj->login; $login = $obj->login;
$stored_key = $obj->api_key; $stored_key = $obj->api_key;
$userentity = $obj->entity;
if (! defined("DOLENTITY")) // If API was not forced with HTTP_DOLENTITY, we set entity to entity of user
{
$conf->entity = ($obj->entity?$obj->entity:1);
}
} }
} }
else { else {
throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg); throw new RestException(503, 'Error when fetching user api_key :'.$db->error_msg);
} }
if ($stored_key != $api_key) { if ($stored_key != $api_key) { // This should not happen since we did a search on api_key
$userClass::setCacheIdentifier($api_key); $userClass::setCacheIdentifier($api_key);
return false; return false;
} }
if (! $login) if (! $login)
{ {
throw new RestException(503, 'Error when searching logn user fro mapi key'); throw new RestException(503, 'Error when searching login user from api key');
} }
$fuser = new User($db); $fuser = new User($db);
if(! $fuser->fetch('',$login)) { $result = $fuser->fetch('', $login, '', 0, (empty($userentity) ? -1 : $conf->entity)); // If user is not entity 0, we search in working entity $conf->entity (that may have been forced to a different value than user entity)
throw new RestException(503, 'Error when fetching user :'.$fuser->error); if ($result <= 0) {
throw new RestException(503, 'Error when fetching user :'.$fuser->error.' (conf->entity='.$conf->entity.')');
} }
$fuser->getrights(); $fuser->getrights();
static::$user = $fuser; static::$user = $fuser;
@ -146,11 +156,11 @@ class DolibarrApiAccess implements iAuthenticate
throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL)."); throw new RestException(401, "Failed to login to API. No parameter 'HTTP_DOLAPIKEY' on HTTP header (and no parameter DOLAPIKEY in URL).");
} }
$userClass::setCacheIdentifier(static::$role); $userClass::setCacheIdentifier(static::$role);
Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess'; Resources::$accessControlFunction = 'DolibarrApiAccess::verifyAccess';
$requirefortest = static::$requires; $requirefortest = static::$requires;
if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest); if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest);
return in_array(static::$role, (array) $requirefortest) || static::$role == 'admin'; return in_array(static::$role, (array) $requirefortest) || static::$role == 'admin';
} }
/** /**