api.php 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421
  1. <?php
  2. /* CORE API */
  3. //Infos api
  4. $api = new Api("core", "Api du coeur applicatif");
  5. $api->route('infos','retourne les informations sur l\'environnement','GET',function($request,&$response){
  6. global $myUser,$databases_credentials;
  7. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  8. $repository = '';
  9. if(file_exists(__DIR__.SLASH.'.git'.SLASH.'config')){
  10. $stream = file_get_contents(__DIR__.SLASH.'.git'.SLASH.'config');
  11. preg_match('|url = (.*\.fr)[:/]([^\n]*)|is', $stream,$match);
  12. $repository = $match[2];
  13. $repositoryUrl = preg_replace('|[^@]*@|i','http://',$match[1]).'/'.$match[2];
  14. }
  15. if(file_exists(__DIR__.SLASH.'.git'.SLASH.'refs'.SLASH.'heads'.SLASH.'master'))
  16. $commitVersion = str_replace(array("\n","\r"),"",file_get_contents(__DIR__.SLASH.'.git'.SLASH.'refs'.SLASH.'heads'.SLASH.'master'));
  17. $response['application']['label'] = PROGRAM_NAME;
  18. $response['application']['version'] = SOURCE_VERSION;
  19. $response['application']['versionning']['type'] = 'git';
  20. $response['application']['versionning']['repository'] = $repository;
  21. $response['application']['versionning']['repository_url'] = $repositoryUrl;
  22. $response['application']['versionning']['commit_version'] = $commitVersion;
  23. $response['application']['timezone'] = TIME_ZONE;
  24. $response['php']['version'] = phpversion();
  25. $response['apache']['version'] = apache_get_version();
  26. $response['databases'] = array();
  27. foreach ($databases_credentials as $key => $value) {
  28. unset($value['password']);
  29. $value['uid'] = $key;
  30. $response['databases'][] = $value;
  31. }
  32. $response['os']['type'] = PHP_OS;
  33. $response['os']['time'] = time();
  34. });
  35. $api->route('token','retourne un jwt token en fonction des identifiants fournis sur l\'environnement','POST',function($request,&$response){
  36. $_ = json_decode($request['body'],true);
  37. if(!isset($_['api_id']) || !isset($_['api_secret'])) throw new Exception("Api Credentials are missing",401);
  38. global $conf;
  39. if(empty($conf->get('jwtauth_secret'))) throw new Exception('JWT secret is missing in core',501);
  40. if(session_status() == PHP_SESSION_ACTIVE) session_destroy();
  41. session_start();
  42. $apiKey = UserPreference::load(array('key'=>'api_id','value'=>encrypt($_['api_id'])));
  43. if(!$apiKey) throw new Exception('Api id not found',404);
  44. $apiSecret = UserPreference::load(array('key'=>'api_secret','user'=>$apiKey->user,'value'=>encrypt($_['api_secret'])));
  45. if(!$apiSecret) throw new Exception('Bad api secret',401);
  46. $apiEnabled = UserPreference::load(array('key'=>'api_enabled','user'=>$apiKey->user,'value'=>1));
  47. if(!$apiEnabled) throw new Exception('Api is not enabled for this account',401);
  48. global $myUser,$myFirm;
  49. $myUser = User::connectLogin($apiSecret->user);
  50. if(!$myUser || !$myUser->connected()) throw new Exception('Bad credentials',401);
  51. if(file_exists('enabled.maintenance') && $myUser->superadmin != 1) throw new Exception('Maintenance is enabled, only super admin can connects',403);
  52. $_SESSION['currentUser'] = serialize($myUser);
  53. $_SESSION['firm'] = serialize($myFirm);
  54. $response['session'] = session_id();
  55. $json = array();
  56. $json['exp'] = strtotime('+8hours');
  57. $json['attributes'] = array(
  58. 'session_id' => session_id(),
  59. 'user' => $myUser->login
  60. );
  61. $response['token'] = JWToken::createFromJson($json,$conf->get('jwtauth_secret'));
  62. });
  63. //right api
  64. $api->route('rights','retourne la liste des droits du logiciel','GET',function($request,&$response){
  65. global $myUser;
  66. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  67. $response['rights'] = array();
  68. if(isset($request['parameters']['sort'])) throw new Exception("Sort is not implemented for firms",501);
  69. if(isset($request['parameters']['filter'])) throw new Exception("Filter is not implemented for firms",501);
  70. $limit = isset($request['parameters']['limit']) ? array($request['parameters']['limit']) : array();
  71. foreach (Right::loadAll(array(),array(),$limit) as $right) {
  72. $row = $right->toArray();
  73. $response['rights'][] = $row;
  74. }
  75. });
  76. $api->route('rights/[rightid]','ajoute/modifie un droit du logiciel','PUT',function($request,&$response){
  77. global $myUser;
  78. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  79. $response['right'] = array();
  80. //Création
  81. $_ = $request['parameters'];
  82. $form = json_decode($request['body'],true);
  83. if(!$form) throw new Exception("Invalid JSON body",400);
  84. User::check_access('right','edit');
  85. if(!empty($request['pathes'])){
  86. $right = Right::getById($request['pathes'][0]);
  87. if(empty($right->id)) throw new Exception("Right not found", 404);
  88. $response['code'] = 200; //Modifié
  89. }else{
  90. $right = new right();
  91. if(!isset($form['rank']) || empty($form['rank'])) throw new Exception("L'id du rang est obligatoire",400);
  92. if(!isset($form['scope']) || empty($form['scope'])) throw new Exception("Le nom de la scope est obligatoire",400);
  93. if(!isset($form['firm']) || empty($form['firm'])) throw new Exception("L'id de l'établissement est obligatoire",400);
  94. $response['code'] = 201; //Créé
  95. }
  96. //Check si le rang existe
  97. $rank = Rank::getById($form['rank']);
  98. if(empty($rank->id)) throw new Exception("Rank not found", 400);
  99. //Check si la firm existe
  100. $firm = Firm::getById($form['firm']);
  101. if(empty($firm->id)) throw new Exception("Firm not found", 400);
  102. //Check si la scope existe
  103. $scopes = array();
  104. Plugin::callHook('section',array(&$scopes));
  105. $find = false;
  106. foreach($scopes as $scope=>$description){
  107. if ($scope==$form['scope']){
  108. $find = true;
  109. break;
  110. }
  111. }
  112. if (!$find) throw new Exception("Section not found", 400);
  113. if(isset($form['targetUid'])) $right->targetUid = $form['targetUid'];
  114. if(isset($form['scope'])) $right->scope = $form['scope'];
  115. if(isset($form['firm'])) $right->firm = $form['firm'];
  116. if(isset($form['read'])) $right->read = $form['read'];
  117. if(isset($form['edit'])) $right->edit = $form['edit'];
  118. if(isset($form['delete'])) $right->delete = $form['delete'];
  119. if(isset($form['configure'])) $right->configure = $form['configure'];
  120. $right->save();
  121. Log::put("Création/Modification de droit ".$right->toText(),'Droit');
  122. $response['right'] = array('id'=>$right->id,'scope'=>$right->scope);
  123. });
  124. $api->route('rights/rightid','Supprime un rang du logiciel','DELETE',function($request,&$response){
  125. global $myUser;
  126. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  127. if(empty($request['pathes'])) throw new Exception("You must specify right id", 400);
  128. User::check_access('right','delete');
  129. $right = Right::getById($request['pathes'][0]);
  130. if(!$right) throw new Exception("Right not found",404);
  131. $right->deleteById($right->id);
  132. Log::put("Suppression du rang ".$right->toText(),'Rang');
  133. $response['code'] = 204;
  134. });
  135. //rank api
  136. $api->route('ranks','retourne la liste des rangs du logiciel','GET',function($request,&$response){
  137. global $myUser;
  138. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  139. $response['ranks'] = array();
  140. if(isset($request['parameters']['sort'])) throw new Exception("Sort is not implemented for firms",501);
  141. if(isset($request['parameters']['filter'])) throw new Exception("Filter is not implemented for firms",501);
  142. $limit = isset($request['parameters']['limit']) ? array($request['parameters']['limit']) : array();
  143. foreach (Rank::loadAll(array(),array(),$limit) as $rank) {
  144. $row = $rank->toArray();
  145. $response['ranks'][] = $row;
  146. }
  147. });
  148. $api->route('ranks/[rankid]','ajoute/modifie un rang du logiciel','PUT',function($request,&$response){
  149. global $myUser;
  150. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  151. $response['rank'] = array();
  152. //Création
  153. $_ = $request['parameters'];
  154. $form = json_decode($request['body'],true);
  155. if(!$form) throw new Exception("Invalid JSON body",400);
  156. User::check_access('rank','edit');
  157. if(!empty($request['pathes'])){
  158. $rank = Rank::getById($request['pathes'][0]);
  159. if(empty($rank->id)) throw new Exception("Rank not found", 404);
  160. $response['code'] = 200; //Modifié
  161. }else{
  162. $rank = new rank();
  163. if(!isset($form['label']) || empty($form['label'])) throw new Exception("Le libellé est obligatoire",400);
  164. //Check si un rang n'existe pas déjà avec ce label
  165. if(Rank::load(array('label'=>$form['label']))) throw new Exception("Un rang existe déjà avec ce nom",400);
  166. $rank->label = $form['label'];
  167. $response['code'] = 201; //Créé
  168. }
  169. if(isset($form['label'])) $rank->label = $form['label'];
  170. if(isset($form['description'])) $rank->description = $form['description'];
  171. $rank->save();
  172. Log::put("Création/Modification de rang ".$rank->toText(),'Rang');
  173. $response['rank'] = array('id'=>$rank->id,'label'=>$rank->label);
  174. });
  175. $api->route('ranks/rankid','Supprime un rang du logiciel','DELETE',function($request,&$response){
  176. global $myUser;
  177. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  178. if(empty($request['pathes'])) throw new Exception("You must specify rank id", 400);
  179. User::check_access('rank','delete');
  180. $rank = Rank::getById($request['pathes'][0]);
  181. if(!$rank) throw new Exception("Rank not found",404);
  182. foreach(UserFirmRank::loadAll(array('rank'=>$rank->id)) as $ufrLink)
  183. UserFirmRank::deleteById($ufrLink->id);
  184. $rank->deleteById($rank->id);
  185. Log::put("Suppression du rang ".$rank->toText(),'Rang');
  186. $response['code'] = 204;
  187. });
  188. //firm api
  189. $api->route('firms','retourne la liste des établissements du logiciel','GET',function($request,&$response){
  190. global $myUser;
  191. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  192. $response['firms'] = array();
  193. if(isset($request['parameters']['sort'])) throw new Exception("Sort is not implemented for firms",501);
  194. if(isset($request['parameters']['filter'])) throw new Exception("Filter is not implemented for firms",501);
  195. $limit = isset($request['parameters']['limit']) ? array($request['parameters']['limit']) : array();
  196. foreach (Firm::loadAll(array(),array(),$limit) as $i=>$firm) {
  197. $row = $firm->toArray();
  198. $response['firms'][] = $row;
  199. }
  200. });
  201. $api->route('firms/[firmid]','ajoute/modifie un établissement du logiciel','PUT',function($request,&$response){
  202. global $myUser;
  203. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  204. $response['firm'] = array();
  205. //Création
  206. $_ = $request['parameters'];
  207. $form = json_decode($request['body'],true);
  208. if(!$form) throw new Exception("Invalid JSON body",400);
  209. User::check_access('firm','edit');
  210. if(!empty($request['pathes'])){
  211. $firm = Firm::getById($request['pathes'][0]);
  212. if(empty($firm->id)) throw new Exception("Firm not found", 404);
  213. $response['code'] = 200; //Modifié
  214. }else{
  215. $firm = new Firm();
  216. if(!isset($form['label']) || empty($form['label'])) throw new Exception("Le libellé est obligatoire",400);
  217. if(!isset($form['mail']) || empty($form['mail'])) throw new Exception('Le champ "Mail"est obligatoire',400);
  218. //Check si une firm n'existe pas déjà avec ce label
  219. if(Firm::load(array('label'=>$form['label']))) throw new Exception("Un établissement existe déjà avec ce nom",400);
  220. $firm->label = $form['label'];
  221. $response['code'] = 201; //Créé
  222. }
  223. if(isset($form['label'])) $firm->label = $form['label'];
  224. if(isset($form['description'])) $firm->description = $form['description'];
  225. if(isset($form['mail'])) $firm->mail = $form['mail'];
  226. if(isset($form['phone'])) $firm->phone = $form['phone'];
  227. if(isset($form['fax'])) $firm->fax = $form['fax'];
  228. if(isset($form['street'])) $firm->street = $form['street'];
  229. if(isset($form['street2'])) $firm->street2 = $form['street2'];
  230. if(isset($form['city'])) $firm->city = $form['city'];
  231. if(isset($form['zipcode'])) $firm->zipcode = $form['zipcode'];
  232. if(isset($form['siret'])) $firm->siret = $form['siret'];
  233. if(isset($form['iban'])) $firm->iban = $form['iban'];
  234. $firm->save();
  235. Log::put("Création/Modification de l'établissement ".$firm->toText(),'Etablissement');
  236. $response['firm'] = array('id'=>$firm->id,'label'=>$firm->label);
  237. });
  238. $api->route('firms/firmid','Supprime un établissement du logiciel','DELETE',function($request,&$response){
  239. global $myUser;
  240. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  241. if(empty($request['pathes'])) throw new Exception("You must specify firm id", 400);
  242. User::check_access('firm','delete');
  243. $firm = Firm::getById($request['pathes'][0]);
  244. if(!$firm) throw new Exception("Firm not found",404);
  245. foreach(UserFirmRank::loadAll(array('firm'=>$firm->id)) as $ufrLink)
  246. UserFirmRank::deleteById($ufrLink->id);
  247. $firm->deleteById($firm->id);
  248. Log::put("Suppression de l'établissement ".$firm->toText(),'Etablissement');
  249. $response['code'] = 204;
  250. });
  251. //user api
  252. $api->route('account','retourne les informations du compte connecté','GET',function($request,&$response){
  253. global $myUser;
  254. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  255. $response['account'] = $myUser->toArray();
  256. unset($response['account']['password']);
  257. });
  258. //user api
  259. $api->route('users','retourne la liste des utilisateurs du logiciel','GET',function($request,&$response){
  260. global $myUser;
  261. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  262. $response['users'] = array();
  263. if(isset($request['parameters']['sort'])) throw new Exception("Sort is not implemented for users",501);
  264. if(isset($request['parameters']['filter'])) throw new Exception("Filter is not implemented for users",501);
  265. foreach (User::getAll(array('right'=>false)) as $i=>$user) {
  266. if(isset($request['parameters']['limit']) && $request['parameters']['limit']==$i) break;
  267. $row = $user->toArray();
  268. unset($row['password']);
  269. unset($row['manager']);
  270. $row['origin'] = !isset($row['id']) ? 'plugin': 'database';
  271. $response['users'][] = $row;
  272. }
  273. });
  274. $api->route('users/[userid]','ajoute/modifie un utilisateur du logiciel','PUT',function($request,&$response){
  275. global $myUser;
  276. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  277. $response['user'] = array();
  278. //Création
  279. $_ = $request['parameters'];
  280. $form = json_decode($request['body'],true);
  281. if(!$form) throw new Exception("Invalid JSON body",400);
  282. User::check_access('user','edit');
  283. if(!empty($request['pathes'])){
  284. $user = User::byLogin($request['pathes'][0]);
  285. if(empty($user->login)) throw new Exception("User not found", 404);
  286. $response['code'] = 200; //Modifié
  287. }else{
  288. $user = new User();
  289. if(!isset($form['login']) || empty($form['login'])) throw new Exception("Identifiant obligatoire",400);
  290. if(!isset($form['password']) || empty($form['password'])) throw new Exception("Mot de passe obligatoire",400);
  291. if(!isset($form['mail']) || empty($form['mail'])) throw new Exception('Le champ "Mail"est obligatoire',400);
  292. foreach(User::getAll(array('right'=>false)) as $existingUser)
  293. if($existingUser->mail == trim($_['mail'])) throw new Exception("Un utilisateur existe déjà avec cette adresse e-mail");
  294. //Check si un user n'existe pas déjà avec ce login (on récupère tous les users car user peut être supprimé logiquement / désactivé uniquement)
  295. if(User::load(array('login'=>$form['login']))) throw new Exception("Un utilisateur existe déjà avec cet identifiant",400);
  296. $user->login = $form['login'];
  297. $response['code'] = 201; //Créé
  298. }
  299. if(!empty(trim($form['password']))){
  300. $passwordErrors = User::check_password_format(html_entity_decode($form['password']));
  301. if(count($passwordErrors)!=0 && !$myUser->superadmin) throw new Exception("Le format de mot de passe ne respecte pas les conditions suivantes : <br>".implode("<br>",$passwordErrors), 400);
  302. if($form['password']==$form['login'] || $form['password']==$form['mail'] ) throw new Exception("Le mot de passe ne peut pas être identique à l'identifiant ou à l'e-mail",400);
  303. $user->password = User::password_encrypt($form['password']);
  304. $user->preference('passwordTime',time());
  305. }
  306. if(isset($form['firstname'])) $user->firstname = mb_ucfirst(mb_strtolower($form['firstname']));
  307. if(isset($form['name'])) $user->name = mb_strtoupper($form['name']);
  308. if(isset($form['mail'])) $user->mail = $form['mail'];
  309. $user->state = User::ACTIVE;
  310. if(isset($form['manager'])) $user->manager = $form['manager'];
  311. $user->save();
  312. User::getAll(array('right'=>true,'force'=>true));
  313. Log::put("Création/Modification de l'utilisateur ".$user->toText(),'Utilisateur');
  314. $response['user'] = array('id'=>$user->id,'login'=>$user->login);
  315. });
  316. $api->route('users/userid','Supprime un utilisateur du logiciel','DELETE',function($request,&$response){
  317. global $myUser;
  318. if(!$myUser->connected()) throw new Exception("Credentials are missing",401);
  319. if(empty($request['pathes'])) throw new Exception("You must spcify user login", 400);
  320. User::check_access('user','delete');
  321. $user = User::byLogin($request['pathes'][0]);
  322. if(!$user) throw new Exception("User not found",404);
  323. if($user->superadmin == 1) throw new Exception("You can't delete superadmin account",403);
  324. if($user->login == $myUser->login) throw new Exception("You can't delete your own account",403);
  325. if(empty($user->id)) throw new Exception("You cant delete no db account", 400);
  326. $user = User::getById($user->id);
  327. $user->state = User::INACTIVE;
  328. $user->save();
  329. foreach(UserFirmRank::loadAll(array('user'=>$user->login)) as $ufrLink)
  330. UserFirmRank::deleteById($ufrLink->id);
  331. if(isset($_SESSION['users_rights'])) unset($_SESSION['users_rights']);
  332. if(isset($_SESSION['users_norights'])) unset($_SESSION['users_norights']);
  333. Log::put("Suppression de l'utilisateur ".$user->toText(),'Utilisateur');
  334. $response['code'] = 204;
  335. });
  336. $api->register();
  337. /* FIN CORE API */
  338. ?>