Fix API access protection check

[nka11]

Fix API Access Control bogus implementation

[hregis]

why ? :-)

[nka11]

I was stalled in my devs while trying to use API features with external users.
After tweaking the code, I've read the following in api classes :

 * @access protected
 * @class  DolibarrApiAccess {@requires user,external}

and after debugging deeply, it appears that the require's override in annotation sets a string in the variable, not an array as expect by the initial code.

For the environmen I use :
PHP 7.0.5 (cli) (built: Apr 2 2016 23:10:23) ( NTS )
Linux 4.4.5-1-ARCH #1 SMP PREEMPT
Dolibarr updated with Restler RC6 (ref #4912)

I could propose an alternative fix with a split of the static::$requires var before return in_array but I'm not convinced about performance and i'm pretty sure it will increase memory footprint.

[eldy]

Don't you think this change (having $requires that is a string instead of array may be a result of the RC6 version ?
In dev branch, we are 3.0.0rc5

If yes, may be we can fix by adding a

$requirefortest = static::$requires
if (! is_array($requirefortest)) $requirefortest=explode(',',$requirefortest);
return in_array(static::$role, (array) static::$requirefortest) || static::$role == 'admin';

Can you test this on your case so we have something that works in all cases.

[nka11]

@eldy I think having $requires that is a string instead of array is a standard comportement when it's overrided in annotations.
As I'm not able to test with Restler RC5, I can't tell if the actual implementation works for an external user. If someone can confirm it works, then the alternate implementations would fit. If not, the original implementation is bogus and never worked at all, then I recommand my first proposal as it's more efficient on the resources point of view.

For the PHP7 compliance, I've PR'ed Restler RC6 in #5057.

Regards

[eldy]

To reduce risk of introducing other problem i pushed i fix like i suggested.
It should works for you with RC6. Can you confirm ?