From fcb8bfcf8b947eafbadbd0d629951bba87a1e7fa Mon Sep 17 00:00:00 2001
From: Julio Montoya <gugli100@gmail.com>
Date: Tue, 8 Jun 2021 12:12:23 +0200
Subject: [PATCH] Admin: Add config disable_webservices

In order to block access to v2.php/registration.soap.php webservices.
---
 documentation/security.html                 | 9 +++++++++
 main/inc/lib/api.lib.php                    | 9 +++++++++
 main/install/configuration.dist.php         | 3 +++
 main/webservices/access_url.php             | 3 +++
 main/webservices/additional_webservices.php | 2 ++
 main/webservices/api/v2.php                 | 2 ++
 main/webservices/cm_webservice.php          | 6 +++---
 main/webservices/courses_list.rest.php      | 2 ++
 main/webservices/courses_list.soap.php      | 3 +++
 main/webservices/gradebook.php              | 2 ++
 main/webservices/lp.php                     | 2 ++
 main/webservices/registration.soap.php      | 6 +++---
 main/webservices/soap.php                   | 4 +---
 main/webservices/user_import/service.php    | 2 ++
 main/webservices/webservice.php             | 7 ++++---
 15 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/documentation/security.html b/documentation/security.html
index 0b641f9cb3..1036fd50b2 100755
--- a/documentation/security.html
+++ b/documentation/security.html
@@ -25,6 +25,7 @@
   <li><a href="#5.Files-permissions">Restricting files permissions</a></li>
   <li><a href="#6.HSTS">HTTP Headers Security</a></li>
   <li><a href="#7.Direct-web-access">Direct web access to files</a></li>
+  <li><a href="#8.Disable-webservices">Disable webservices</a></li>
 </ol>
 
 <h2><a name="1.Disclosing-server-info"></a>1. Disclosing server info</h2>
@@ -195,6 +196,14 @@ This will prevent direct access to your settings and make it seem totally the sa
     information in images, CSS or JavaScript files, you will need to update
     these rules to suit your needs.
     </p>
+
+<h2><a name="8.Disable-webservices">Disable webservices</a></h2>
+    <p>
+        In order to disable webservices add the configuration below:
+    <pre>
+    $_configuration['disable_webservices'] = true;
+    </pre>
+    </p>
 <h2>Authors</h2>
 <ul>
 <li>Yannick Warnier, Zend Certified PHP Engineer, BeezNest Belgium SPRL,
diff --git a/main/inc/lib/api.lib.php b/main/inc/lib/api.lib.php
index 9c68b8fa08..9393a59f3c 100644
--- a/main/inc/lib/api.lib.php
+++ b/main/inc/lib/api.lib.php
@@ -10158,3 +10158,12 @@ function api_get_print_css(bool $getFileContents = true, bool $useWebPath = fals
 
     return $cssFile;
 }
+
+function api_protect_webservices()
+{
+    if (api_get_configuration_value('disable_webservices')) {
+        echo "Webservices are disabled. \n";
+        echo "To enable, add \$_configuration['disable_webservices'] = true; in configuration.php";
+        exit;
+    }
+}
diff --git a/main/install/configuration.dist.php b/main/install/configuration.dist.php
index 57bad03631..e14cc6ffcc 100755
--- a/main/install/configuration.dist.php
+++ b/main/install/configuration.dist.php
@@ -1942,6 +1942,9 @@ ALTER TABLE gradebook_comment ADD CONSTRAINT FK_C3B70763AD3ED51C FOREIGN KEY (gr
 // If true then a variable will be called get_lang('CareerDiagramDisclaimer') and printed below a diagram;
 //$_configuration['career_diagram_disclaimer'] = true;
 
+// Disable webservices.
+//$_configuration['disable_webservices'] = true;
+
 // KEEP THIS AT THE END
 // -------- Custom DB changes
 // Add user activation by confirmation email
diff --git a/main/webservices/access_url.php b/main/webservices/access_url.php
index 75c7260f4f..e68d3d9d86 100644
--- a/main/webservices/access_url.php
+++ b/main/webservices/access_url.php
@@ -5,6 +5,9 @@
  * @package chamilo.webservices
  */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 $debug = true;
 
 define('WS_ERROR_SECRET_KEY', 1);
diff --git a/main/webservices/additional_webservices.php b/main/webservices/additional_webservices.php
index 73ebb32eab..65c6d0dec4 100755
--- a/main/webservices/additional_webservices.php
+++ b/main/webservices/additional_webservices.php
@@ -7,6 +7,8 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 /**
  * Function to convert from ppt to png
  * This function is used from Chamilo Rapid Lesson.
diff --git a/main/webservices/api/v2.php b/main/webservices/api/v2.php
index 8268ef2a61..30a4ccdf42 100644
--- a/main/webservices/api/v2.php
+++ b/main/webservices/api/v2.php
@@ -16,6 +16,8 @@
  */
 require_once __DIR__.'/../../inc/global.inc.php';
 
+api_protect_webservices();
+
 $hash = isset($_REQUEST['hash']) ? $_REQUEST['hash'] : null;
 
 if ($hash) {
diff --git a/main/webservices/cm_webservice.php b/main/webservices/cm_webservice.php
index a19d93fb23..e7caf5e6ce 100755
--- a/main/webservices/cm_webservice.php
+++ b/main/webservices/cm_webservice.php
@@ -1,13 +1,13 @@
 <?php
+
 /* For licensing terms, see /license.txt */
 
 use Chamilo\UserBundle\Entity\User;
 
-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 /**
  * Error returned by one of the methods of the web service. Contains an error code and an error message.
  */
diff --git a/main/webservices/courses_list.rest.php b/main/webservices/courses_list.rest.php
index 6e25236f87..4b2b1fa18a 100755
--- a/main/webservices/courses_list.rest.php
+++ b/main/webservices/courses_list.rest.php
@@ -13,6 +13,8 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 /**
  * Get a list of courses (code, url, title, teacher, language) and return to caller
  * Function registered as service. Returns strings in UTF-8.
diff --git a/main/webservices/courses_list.soap.php b/main/webservices/courses_list.soap.php
index 94c55e0c1a..539aa87345 100755
--- a/main/webservices/courses_list.soap.php
+++ b/main/webservices/courses_list.soap.php
@@ -1,4 +1,5 @@
 <?php
+
 /* For licensing terms, see /license.txt */
 
 /**
@@ -14,6 +15,8 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 // Create the server instance
 $server = new soap_server();
 // Initialize WSDL support
diff --git a/main/webservices/gradebook.php b/main/webservices/gradebook.php
index 1ef8dd6d15..68e2b09da5 100644
--- a/main/webservices/gradebook.php
+++ b/main/webservices/gradebook.php
@@ -6,6 +6,8 @@ use Skill as SkillManager;
 
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 ini_set('memory_limit', -1);
 
 /*
diff --git a/main/webservices/lp.php b/main/webservices/lp.php
index 220ead49ac..9cf54694a0 100644
--- a/main/webservices/lp.php
+++ b/main/webservices/lp.php
@@ -6,6 +6,8 @@
  */
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 ini_set('memory_limit', -1);
 /*
 ini_set('upload_max_filesize', '4000M');
diff --git a/main/webservices/registration.soap.php b/main/webservices/registration.soap.php
index e479ba18ff..e89eb90f6d 100755
--- a/main/webservices/registration.soap.php
+++ b/main/webservices/registration.soap.php
@@ -4,10 +4,10 @@
 use Chamilo\CoreBundle\Entity\ExtraField as EntityExtraField;
 use Chamilo\UserBundle\Entity\User;
 
-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';
+
+api_protect_webservices();
+
 $debug = true;
 
 define('WS_ERROR_SECRET_KEY', 1);
diff --git a/main/webservices/soap.php b/main/webservices/soap.php
index cce50f754a..c5719a19bd 100755
--- a/main/webservices/soap.php
+++ b/main/webservices/soap.php
@@ -1,9 +1,7 @@
 <?php
+
 /* For licensing terms, see /license.txt */
 
-/**
- * @package chamilo.webservices
- */
 require_once __DIR__.'/../inc/global.inc.php';
 require_once __DIR__.'/webservice.php';
 
diff --git a/main/webservices/user_import/service.php b/main/webservices/user_import/service.php
index 567bbbee63..3c275de3f5 100755
--- a/main/webservices/user_import/service.php
+++ b/main/webservices/user_import/service.php
@@ -6,6 +6,8 @@
  */
 require_once __DIR__.'/../../inc/global.inc.php';
 
+api_protect_webservices();
+
 /**
  * Import users into database from a file located on the server.
  * Function registered as service.
diff --git a/main/webservices/webservice.php b/main/webservices/webservice.php
index 0779a02ba9..d02d07db2e 100755
--- a/main/webservices/webservice.php
+++ b/main/webservices/webservice.php
@@ -1,10 +1,11 @@
 <?php
+
 /* For licensing terms, see /license.txt */
-/**
- * @package chamilo.webservices
- */
+
 require_once __DIR__.'/../inc/global.inc.php';
 
+api_protect_webservices();
+
 /**
  * Error returned by one of the methods of the web service.
  * Contains an error code and an error message.