Admin: Add config disable_webservices

In order to block access to v2.php/registration.soap.php webservices.
4 years ago · fcb8bfcf8b
parent fd1d83a504
commit fcb8bfcf8b
15 changed files with 50 additions and 12 deletions
--- a/documentation/security.html
+++ b/documentation/security.html
@ -25,6 +25,7 @@
  <li><a href="#5.Files-permissions">Restricting files permissions</a></li>
  <li><a href="#6.HSTS">HTTP Headers Security</a></li>
  <li><a href="#7.Direct-web-access">Direct web access to files</a></li>
+  <li><a href="#8.Disable-webservices">Disable webservices</a></li>
 </ol>

 <h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
@ -195,6 +196,14 @@ This will prevent direct access to your settings and make it seem totally the sa
    information in images, CSS or JavaScript files, you will need to update
    these rules to suit your needs.
    </p>
+
+<h2><a name="8.Disable-webservices">Disable webservices</a></h2>
+    <p>
+        In order to disable webservices add the configuration below:
+    <pre>
+    $_configuration['disable_webservices'] = true;
+    </pre>
+    </p>
 <h2>Authors</h2>
 <ul>
 <li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,
--- a/main/inc/lib/api.lib.php
+++ b/main/inc/lib/api.lib.php
@ -10158,3 +10158,12 @@ function api_get_print_css(bool $getFileContents = true, bool $useWebPath = fals

    return $cssFile;
 }
+
+function api_protect_webservices()
+{
+    if (api_get_configuration_value('disable_webservices')) {
+        echo "Webservices are disabled. \n";
+        echo "To enable, add \$_configuration['disable_webservices'] = true; in configuration.php";
+        exit;
+    }
+}
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@ -1942,6 +1942,9 @@ ALTER TABLE gradebook_comment ADD CONSTRAINT FK_C3B70763AD3ED51C FOREIGN KEY (gr
 // If true then a variable will be called get_lang('CareerDiagramDisclaimer') and printed below a diagram;
 //$_configuration['career_diagram_disclaimer'] = true;

+// Disable webservices.
+//$_configuration['disable_webservices'] = true;
+
 // KEEP THIS AT THE END
 // -------- Custom DB changes
 // Add user activation by confirmation email
--- a/main/webservices/access_url.php
+++ b/main/webservices/access_url.php
@ -5,6 +5,9 @@
 * @package chamilo.webservices
 */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 $debug = true;

 define('WS_ERROR_SECRET_KEY', 1);
--- a/main/webservices/additional_webservices.php
+++ b/main/webservices/additional_webservices.php
@ -7,6 +7,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 /**
 * Function to convert from ppt to png
 * This function is used from Chamilo Rapid Lesson.
--- a/main/webservices/api/v2.php
+++ b/main/webservices/api/v2.php
@ -16,6 +16,8 @@
 */
 require_once __DIR__.'/../../inc/global.inc.php';

+api_protect_webservices();
+
 $hash = isset($_REQUEST['hash']) ? $_REQUEST['hash'] : null;

 if ($hash) {
--- a/main/webservices/cm_webservice.php
+++ b/main/webservices/cm_webservice.php
@ -1,13 +1,13 @@
 <?php
+
 /* For licensing terms, see /license.txt */

 use Chamilo\UserBundle\Entity\User;

-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 /**
 * Error returned by one of the methods of the web service. Contains an error code and an error message.
 */
--- a/main/webservices/courses_list.rest.php
+++ b/main/webservices/courses_list.rest.php
@ -13,6 +13,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 /**
 * Get a list of courses (code, url, title, teacher, language) and return to caller
 * Function registered as service. Returns strings in UTF-8.
--- a/main/webservices/courses_list.soap.php
+++ b/main/webservices/courses_list.soap.php
@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */

 /**
@ -14,6 +15,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 // Create the server instance
 $server = new soap_server();
 // Initialize WSDL support
--- a/main/webservices/gradebook.php
+++ b/main/webservices/gradebook.php
@ -6,6 +6,8 @@ use Skill as SkillManager;

 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 ini_set('memory_limit', -1);

 /*
--- a/main/webservices/lp.php
+++ b/main/webservices/lp.php
@ -6,6 +6,8 @@
 */
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 ini_set('memory_limit', -1);
 /*
 ini_set('upload_max_filesize', '4000M');
--- a/main/webservices/registration.soap.php
+++ b/main/webservices/registration.soap.php
@ -4,10 +4,10 @@
 use Chamilo\CoreBundle\Entity\ExtraField as EntityExtraField;
 use Chamilo\UserBundle\Entity\User;

-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 $debug = true;

 define('WS_ERROR_SECRET_KEY', 1);
--- a/main/webservices/soap.php
+++ b/main/webservices/soap.php
@ -1,9 +1,7 @@
 <?php
+
 /* For licensing terms, see /license.txt */

-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';
 require_once __DIR__.'/webservice.php';

--- a/main/webservices/user_import/service.php
+++ b/main/webservices/user_import/service.php
@ -6,6 +6,8 @@
 */
 require_once __DIR__.'/../../inc/global.inc.php';

+api_protect_webservices();
+
 /**
 * Import users into database from a file located on the server.
 * Function registered as service.
--- a/main/webservices/webservice.php
+++ b/main/webservices/webservice.php
@ -1,10 +1,11 @@
 <?php
+
 /* For licensing terms, see /license.txt */
-/**
- * @package chamilo.webservices
- */
+
 require_once __DIR__.'/../inc/global.inc.php';

+api_protect_webservices();
+
 /**
 * Error returned by one of the methods of the web service.
 * Contains an error code and an error message.