FSN#33929 Alleen FACFAC mag 'unsafe' rapporten aanmaken

svn path=/Website/trunk/; revision=30320
2016-08-16 12:01:33 +00:00
parent b944f08464
commit 3db832f2f6
1 changed files with 13 additions and 10 deletions
--- a/APPL/API2/model_reportsx.inc
+++ b/APPL/API2/model_reportsx.inc
@@ -12,7 +12,6 @@
    Notes:
 */
 %>
-<!-- #include file="../Shared/json2.js" -->
 <!-- #include file="./model_reportcolumns.inc" -->
 <%

@@ -59,9 +58,16 @@ function model_reportsx(usrrap_key, rapparams)
                                }
              };

+    var hasFACFAC = user.has("WEB_FACFAC"); // Die mag ook tabellen doen
    this.is_safe_view = function(viewname)
    {
-        if (viewname && viewname.indexOf(".") != -1)
+        if (hasFACFAC)
+            return true; // die mag alles
+
+        if (rapparams.internal)
+            return true; // cloning
+
+        if (viewname)
        {
            if (viewname.substr(0, 4).toUpperCase() == customerId)
                return true;
@@ -71,6 +77,7 @@ function model_reportsx(usrrap_key, rapparams)
            if (regexp && new RegExp(regexp, 'i').test(viewname))
                return true;

+            __Log("Viewname '{0}' is unsafe for {1}".format(viewname, user.oslogin()));
            return false;
        }
        else
@@ -84,7 +91,6 @@ function model_reportsx(usrrap_key, rapparams)
            params.authparams = user.checkAutorisation(autfunction); // pessimistisch
        };

-    var hasFACFAC = user.has("WEB_FACFAC"); // Die mag ook tabellen doen
    if (!hasFACFAC)
    {
        this.fields.lastrefresh.hidden_fld = true;
@@ -99,12 +105,9 @@ function model_reportsx(usrrap_key, rapparams)

    this._analyze_fields = function (dbfields, params, jsondata) /* analyseer inkomende data, common voor PUT en POST */
        {
-            if (hasFACFAC) // Die mag alles
-            {
-                // viewname zit alleen in dbfields als het een insert is. In edit-mode is dit veld readonly, dus niet in dbfields.
-                if ("viewname" in dbfields)
-                    user.auth_required_or_abort(this.is_safe_view(jsondata.viewname));
-            }
+            // viewname zit alleen in dbfields als het een insert is. In edit-mode is dit veld readonly, dus niet in dbfields.
+            if ("viewname" in dbfields)
+                user.auth_required_or_abort(this.is_safe_view(jsondata.viewname));
        };

    this.hook_pre_edit = function (obj)
@@ -161,7 +164,7 @@ function model_reportsx(usrrap_key, rapparams)
                    this.includes["columns"].model._view2columns(params.filter.id, rap_data.lastrefresh, rap_data.columns);
                    var json = api2.sql2json (params, sql, this ); // En nu opnieuw ophalen
                }
-                if ("viewname" in rap_data && !this.is_safe_view(rap_data.viewname))
+                   if ("viewname" in rap_data && !this.is_safe_view(rap_data.viewname))
                    this.fields["viewname"].readonly = true;

                if (rap_data.styling && rap_data.styling.id & 32) // UDR Template