N°6358 - Login API REST

2026-02-13 07:24:13 +01:00 · 2023-06-07 09:13:13 +02:00
parent a45177410e
commit c596fa2967
12 changed files with 165 additions and 41 deletions
--- a/webservices/import.php
+++ b/webservices/import.php
@@ -260,7 +260,36 @@ if (utils::IsModeCLI())
 else
 {
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
-	LoginWebPage::DoLogin(); // Check user rights and prompt if needed
+    LoginWebPage::ResetSession(true);
+	$iRet = LoginWebPage::DoLogin(false, false, LoginWebPage::EXIT_RETURN);
+    if ($iRet !== LoginWebPage::EXIT_CODE_OK) {
+        switch ($iRet) {
+            case LoginWebPage::EXIT_CODE_MISSINGLOGIN:
+                $oP->p("Missing parameter 'auth_user'");
+                break;
+
+            case LoginWebPage::EXIT_CODE_MISSINGPASSWORD:
+                $oP->p("Missing parameter 'auth_pwd'");
+                break;
+
+            case LoginWebPage::EXIT_CODE_WRONGCREDENTIALS:
+                $oP->p('Invalid login');
+                break;
+
+            case LoginWebPage::EXIT_CODE_PORTALUSERNOTAUTHORIZED:
+                $oP->p('Portal user is not allowed');
+                break;
+
+            case LoginWebPage::EXIT_CODE_NOTAUTHORIZED:
+                $oP->p('This user is not authorized to use the web services. (The profile REST Services User is required to access the REST web services)');
+                break;
+
+            default:
+                $oP->p("Unknown authentication error (retCode=$iRet)");
+        }
+        $oP->output();
+        exit -1;
+    }

 	$sCSVData = utils::ReadPostedParam('csvdata', '', 'raw_data');
 }
--- a/webservices/rest.php
+++ b/webservices/rest.php
@@ -80,10 +80,12 @@ try
        
 	$oKPI->ComputeAndReport('Data model loaded');

-	$iRet = LoginWebPage::DoLogin(false, false, LoginWebPage::EXIT_RETURN); // Starting with iTop 2.2.0 portal users are no longer allowed to access the REST/JSON API
-        $oKPI->ComputeAndReport('User login');
-        
-        if ($iRet == LoginWebPage::EXIT_CODE_OK)
+    // N°6358 - force credentials for REST calls
+    LoginWebPage::ResetSession(true);
+	$iRet = LoginWebPage::DoLogin(false, false, LoginWebPage::EXIT_RETURN);
+    $oKPI->ComputeAndReport('User login');
+
+    if ($iRet == LoginWebPage::EXIT_CODE_OK)
 	{
 		// Extra validation of the profile
 		if ((MetaModel::GetConfig()->Get('secure_rest_services') == true) && !UserRights::HasProfile('REST Services User'))
@@ -94,7 +96,7 @@ try
 	}
 	if ($iRet != LoginWebPage::EXIT_CODE_OK)
 	{
-		switch($iRet)
+        switch($iRet)
 		{
 			case LoginWebPage::EXIT_CODE_MISSINGLOGIN:
 			throw new Exception("Missing parameter 'auth_user'", RestResult::MISSING_AUTH_USER);