N°993: restrict the access to the REST/JSON web services to users having the profile "REST Services User" (restore 2018-04-10 revisions : r5632..r5633)

SVN:trunk[5630]
2026-04-20 17:18:51 +02:00 · 2018-04-12 08:53:02 +00:00
parent 42606873af
commit c562098ef7
4 changed files with 32 additions and 1 deletions
--- a/application/loginwebpage.class.inc.php
+++ b/application/loginwebpage.class.inc.php
@@ -42,6 +42,7 @@ class LoginWebPage extends NiceWebPage
 	const EXIT_CODE_WRONGCREDENTIALS = 3;
 	const EXIT_CODE_MUSTBEADMIN = 4;
 	const EXIT_CODE_PORTALUSERNOTAUTHORIZED = 5;
+	const EXIT_CODE_NOTAUTHORIZED = 6;
 	
 	protected static $sHandlerClass = __class__;
 	public static function RegisterHandler($sClass)
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -1077,6 +1077,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => true,
 		),
+		'secure_rest_services' => array(
+			'type' => 'bool',
+			'description' => 'When set to true, only the users with the profile "REST Services User" are allowed to use the REST web services.',
+			'default' => true,
+			'value' => true,
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		),
 	);

 	public function IsProperty($sPropCode)
--- a/core/datamodel.core.xml
+++ b/core/datamodel.core.xml
@@ -1,3 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <itop_design>
+  <user_rights>
+    <profiles>
+      <profile id="1024" _delta="define">
+        <name>REST Services User</name>
+        <description>Only users having this profile are allowed to use the REST Web Services (unless 'secure_rest_services' is set to false in the configuration file).</description>
+        <groups />
+      </profile>
+    </profiles>
+  </user_rights>
 </itop_design>
--- a/webservices/rest.php
+++ b/webservices/rest.php
@@ -118,6 +118,15 @@ try
 	utils::UseParamFile();

 	$iRet = LoginWebPage::DoLogin(false, false, LoginWebPage::EXIT_RETURN); // Starting with iTop 2.2.0 portal users are no longer allowed to access the REST/JSON API
+	if ($iRet == LoginWebPage::EXIT_CODE_OK)
+	{
+		// Extra validation of the profile
+		if ((MetaModel::GetConfig()->Get('secure_rest_services') == true) && !UserRights::HasProfile('REST Services User'))
+		{
+			// Web services access is limited to the users with the profile REST Web Services
+			$iRet = LoginWebPage::EXIT_CODE_NOTAUTHORIZED;
+		}
+	}
 	if ($iRet != LoginWebPage::EXIT_CODE_OK)
 	{
 		switch($iRet)
@@ -137,7 +146,11 @@ try
 			case LoginWebPage::EXIT_CODE_PORTALUSERNOTAUTHORIZED:
 			throw new Exception("Portal user is not allowed", RestResult::UNAUTHORIZED);
 			break;
-			
+				
+			case LoginWebPage::EXIT_CODE_NOTAUTHORIZED:
+			throw new Exception("This user is not authorized to use the web services. (The profile REST Services User is required to access the REST web services)", RestResult::UNAUTHORIZED);
+			break;
+				
 			default:
 			throw new Exception("Unknown authentication error (retCode=$iRet)", RestResult::UNAUTHORIZED);
 		}