From 4bbce877d89b84a1d3519cde1c4dd28ef4e1f1cc Mon Sep 17 00:00:00 2001 From: Jos Groot Lipman Date: Wed, 10 May 2017 08:18:56 +0000 Subject: [PATCH] AAIT#39909 'anonieme' autorisatie vanuit een link in de bon of e-mail svn path=/Website/trunk/; revision=33762 --- APPL/API/shorturl.asp | 30 ++++++++++++++++++++++------- APPL/MLD/mld_close_confirm.asp | 9 ++++++--- APPL/MLD/mld_close_save.asp | 5 +++-- APPL/MLD/mld_edit_melding.asp | 7 ++++--- APPL/MLD/mld_edit_melding_save.asp | 4 +++- APPL/MLD/mld_edit_note_save.asp | 6 ++++-- APPL/MLD/mld_edit_opdr.asp | 7 +++++-- APPL/MLD/mld_edit_opdr_save.asp | 4 +++- APPL/MLD/mld_melding.asp | 4 ++-- APPL/MLD/mld_opdr.asp | 6 ++++-- APPL/MLD/mld_show_melding.asp | 4 ++-- APPL/MLD/mld_show_note2.asp | 5 +++-- APPL/MLD/mld_show_opdr.asp | 7 +++++-- APPL/MLD/opdr_accept.asp | 5 ++++- APPL/MLD/opdr_approve.asp | 7 ++++--- APPL/MLD/opdr_cancel_confirm.asp | 8 ++++---- APPL/MLD/opdr_cancel_save.asp | 5 ++--- APPL/MLD/opdr_close_confirm.asp | 7 +++++-- APPL/MLD/opdr_close_save.asp | 4 +++- APPL/MLD/opdr_edit_note.asp | 6 ++++-- APPL/MLD/opdr_edit_note_save.asp | 3 ++- APPL/MLD/opdr_list.asp | 4 +++- APPL/MLD/opdr_show_note.asp | 6 ++++-- APPL/PDA/melding.asp | 7 +++++-- APPL/PDA/order.asp | 6 ++++-- APPL/Shared/BijlagenForm.asp | 16 ++++++++++----- APPL/Shared/BijlagenForm_delete.asp | 13 +++++++++---- APPL/Shared/Common.inc | 21 +++++++++++++------- APPL/Shared/UploadForm_save.asp | 11 ++++++++--- APPL/Shared/xml_converter.inc | 19 ++++++++++++++++++ 30 files changed, 172 insertions(+), 74 deletions(-) diff --git a/APPL/API/shorturl.asp b/APPL/API/shorturl.asp index 8396bdbcf7..8e7a9d470e 100644 --- a/APPL/API/shorturl.asp +++ b/APPL/API/shorturl.asp @@ -47,17 +47,33 @@ __Log("== Entering shorturl.asp =="); } var keyparam = getQParamInt("k", -1); - var locked_user_key = getQParamInt("locked_user_key", -1); -/* // TODO: beschermen met hmac + var locked_user_key = getQParamInt("luk", -1); + // TODO: beschermen met hmac // Daarom nog niet geactiveerd if (locked_user_key > 0) { - Session("locked_user_key") = locked_user_key; - var user_allowed = Session("locked_user_allowed"); - Session("locked_user_allowed") = {}; - Session("locked_user_allowed")[u] = keyparam; // TODO: Array voor als je meerdere tabjes open hebt + var user_allowed = Session("locked_user_allowed") || []; // Array voor als je meerdere tabjes open hebt + var found = false; + for (var i = 0; i < user_allowed.length; i++) + { + if (user_allowed[i].locked_user_key == locked_user_key && + user_allowed[i].xmlnode == u && + user_allowed[i].key == keyparam) + { + found = true; + break; + } + } + if (!found) + { + user_allowed.push({ locked_user_key: locked_user_key, + xmlnode: u, + key: keyparam + }) + Session("locked_user_allowed") = user_allowed; + } } -*/ + // For flexiblity reasons: Literal or runtime parameter(s), just pass through... var rest = String(Request.ServerVariables("QUERY_STRING")); // Request.ServerVariables("QUERY_STRING") is url-encoded, // dat is hier safer dan Request.QueryString diff --git a/APPL/MLD/mld_close_confirm.asp b/APPL/MLD/mld_close_confirm.asp index ab8c8d7937..5508b96ef5 100644 --- a/APPL/MLD/mld_close_confirm.asp +++ b/APPL/MLD/mld_close_confirm.asp @@ -12,7 +12,12 @@ D Na afsluiten van laatste opdracht en eventueel 'autoclose' melding Bij A en B ook eventueel checkbox of alle opdrachten ook dicht moeten -*/ %> +*/ +var mld_key_arr = getQParamIntArray("mld_key"); +if (mld_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key_arr[0] }; + +%> @@ -21,8 +26,6 @@ <% // LET OP: Het eerste stuk komt (nog) letterlijk ook zo terug bij mld_close_save.asp -var mld_key_arr = getQParamIntArray("mld_key"); - var verynew = getQParamInt("verynew", 0) == 1; var lastopdr = (getQParamInt("lastopdr", 0) == 1) var TransitParam = buildTransitParam(["mld_key", "verynew", "lastopdr"]); diff --git a/APPL/MLD/mld_close_save.asp b/APPL/MLD/mld_close_save.asp index b8413532a1..4743d34b58 100644 --- a/APPL/MLD/mld_close_save.asp +++ b/APPL/MLD/mld_close_save.asp @@ -11,6 +11,9 @@ */ var JSON_Result = true; +var mld_key_arr = getQParamIntArray("mld_key"); +if (mld_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key_arr[0] }; %> @@ -20,8 +23,6 @@ var JSON_Result = true; <% // LET OP: Het eerste stuk komt (nog) letterlijk ook zo terug bij mld_close_confirm.asp -var mld_key_arr = getQParamIntArray("mld_key"); - var verynew = getQParamInt("verynew", 0) == 1; var submitting = getQParamInt("submit", 0) == 1; var lastopdr = (getQParamInt("lastopdr", 0) == 1) diff --git a/APPL/MLD/mld_edit_melding.asp b/APPL/MLD/mld_edit_melding.asp index 7205c8569a..f653677838 100644 --- a/APPL/MLD/mld_edit_melding.asp +++ b/APPL/MLD/mld_edit_melding.asp @@ -12,8 +12,10 @@ Note: De lcl-textcontextswitcher is srtdisc=ins_srtdiscipline_key Deze is dus verplicht dus kan lcl.set_dialect worden aangeroepen. -*/ %> - +*/ +var mld_key = getQParamInt("mld_key", -1); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; +%> @@ -53,7 +55,6 @@ else var authparams = user.checkAutorisation(autfunction); // Dit is nog ongeacht de melding // de melding waar het over gaat -var mld_key = getQParamInt("mld_key", -1); var copy = (getQParamInt("mld_copy", 0) == 1); var ins_key = getQParamInt("ins_key", -1); // nieuwe melding op dit object? var fromkb = getQParamInt("fromkb", 0) == 1; // Ik kom vanuit kennisbank diff --git a/APPL/MLD/mld_edit_melding_save.asp b/APPL/MLD/mld_edit_melding_save.asp index 44441bb5bd..889ad25e8a 100644 --- a/APPL/MLD/mld_edit_melding_save.asp +++ b/APPL/MLD/mld_edit_melding_save.asp @@ -13,6 +13,9 @@ de introductie van de savewhen parameter in de save2db */ var JSON_Result = true; + +var mld_key = getFParamInt("mld_key", -1); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; %> @@ -63,7 +66,6 @@ var fronto = urole == "fo"; var backo = urole == "bo"; var frontend = (!fronto & !backo); -var mld_key = getFParamInt("mld_key", -1); var parent_key = getFParamInt("parent_key", -1); var isNew = (mld_key <= 0); // dan gaan we S("mld_melding_autoprint") beschouwen diff --git a/APPL/MLD/mld_edit_note_save.asp b/APPL/MLD/mld_edit_note_save.asp index 2e99ed26ff..bf70ee2cc0 100644 --- a/APPL/MLD/mld_edit_note_save.asp +++ b/APPL/MLD/mld_edit_note_save.asp @@ -14,6 +14,8 @@ */ var JSON_Result = true; +var mld_key = getQParamInt("mld_key"); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; %> @@ -21,8 +23,8 @@ var JSON_Result = true; <% -var mld_key = getQParamInt("mld_key"); -var notestamp = getFParamDate("notestamp", new Date); + +var notestamp = getFParamDate("notestamp", new Date()); var changedby = note_recently_changed(mld_key, notestamp); diff --git a/APPL/MLD/mld_edit_opdr.asp b/APPL/MLD/mld_edit_opdr.asp index 34ec20f0cc..746c0b6048 100644 --- a/APPL/MLD/mld_edit_opdr.asp +++ b/APPL/MLD/mld_edit_opdr.asp @@ -16,7 +16,11 @@ Context: Note: Submit naar mld_edit_opdr_save.asp Sinds FSN#20132 kan type_opdr niet meer hier getoggled worden. -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; + +%> @@ -48,7 +52,6 @@ var minfo = urole == "mi"; var frontend = (urole == "fe" || (!fronto & !backo & !minfo)); // NOT APPLICABLE? // Ik wil een opdrachtnummer weten, anders verplicht een melding_key (= toevoegen opdracht) -var opdr_key = getQParamInt("opdr_key", -1); var copy = (getQParamInt("opdr_copy", 0) == 1); var finish = (getQParamInt("finish", 0) == 1); var opdr_copy_key = -1; diff --git a/APPL/MLD/mld_edit_opdr_save.asp b/APPL/MLD/mld_edit_opdr_save.asp index 5ad67bb37d..0aa9a59e77 100644 --- a/APPL/MLD/mld_edit_opdr_save.asp +++ b/APPL/MLD/mld_edit_opdr_save.asp @@ -16,6 +16,9 @@ - bestaand en onlangs gefiatteerd (status==4) */ var JSON_Result = true; + +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; %> @@ -27,7 +30,6 @@ var JSON_Result = true; <% -var opdr_key = getQParamInt("opdr_key", -1); var ismobile = getQParamInt("mobile", 0) == 1; var isNew = (opdr_key < 0); diff --git a/APPL/MLD/mld_melding.asp b/APPL/MLD/mld_melding.asp index 742f6dcafd..9e9d221b56 100644 --- a/APPL/MLD/mld_melding.asp +++ b/APPL/MLD/mld_melding.asp @@ -17,7 +17,8 @@ Note: */ -var LOCKED_USER_OK = { "xmlnode": "melding", "key": getQParamInt("mld_key", -1) }; +var mld_key = getQParamInt("mld_key", -1); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; %> @@ -33,7 +34,6 @@ var verynew = getQParamInt("verynew", 0) == 1; var noteonly = getQParamInt("noteonly", 0) == 1; // de melding waar het over gaat, kan leeg zijn voor nieuwe, maar dat mag niet met bo of mi -var mld_key = getQParamInt("mld_key", -1); var copy = (getQParamInt("mld_copy", 0) == 1); var standalone = (getQParamInt("standalone", 0) == 1); var ins_key = getQParamInt("ins_key", -1); // nieuwe melding op dit object? diff --git a/APPL/MLD/mld_opdr.asp b/APPL/MLD/mld_opdr.asp index 6698810525..c76c17172e 100644 --- a/APPL/MLD/mld_opdr.asp +++ b/APPL/MLD/mld_opdr.asp @@ -13,7 +13,10 @@ Context: Note: TODO: In verband met afmelden van de opdracht de verwerking met parameter close=1 of opdr_copy=1 vanaf hier goed afwerken -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; +%> @@ -25,7 +28,6 @@ FCLTHeader.Requires({ plugins:["suggest","jQuery"], }) // AUTORISATIEPARAMETERS -var opdr_key = getQParamInt("opdr_key", -1); if (opdr_key > 0 ) { var authparamsORDBOF = user.checkAutorisation("WEB_ORDBOF", true); diff --git a/APPL/MLD/mld_show_melding.asp b/APPL/MLD/mld_show_melding.asp index 75f0129b88..5931d4d70c 100644 --- a/APPL/MLD/mld_show_melding.asp +++ b/APPL/MLD/mld_show_melding.asp @@ -21,7 +21,8 @@ lcl's worden meegegeven. */ -var LOCKED_USER_OK = { "xmlnode": "melding", "key": getQParamInt("mld_key") }; +var mld_key = getQParamInt("mld_key"); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; %> @@ -46,7 +47,6 @@ var backo = urole == "bo"; var minfo = urole == "mi"; var frontend = (!fronto & !backo & !minfo); -var mld_key = getQParamInt("mld_key"); var mld_melding = mld.mld_melding_info(mld_key); // Globale variabele met alle mld_melding informatie var stdm_info = mld.mld_stdmeldinginfo(mld_melding.stdm); diff --git a/APPL/MLD/mld_show_note2.asp b/APPL/MLD/mld_show_note2.asp index 2a08028dcf..f18e305680 100644 --- a/APPL/MLD/mld_show_note2.asp +++ b/APPL/MLD/mld_show_note2.asp @@ -11,7 +11,9 @@ Note: Nu kan iedereen hier zijn, FE of FOBO. FE mag de interne notes niet zien, let daarop. */ -var LOCKED_USER_OK = { "xmlnode": "melding", "key": getQParamInt("mld_key") }; + +var mld_key = getQParamInt("mld_key"); // altijd verplicht mld_key +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; %> @@ -23,7 +25,6 @@ var LOCKED_USER_OK = { "xmlnode": "melding", "key": getQParamInt("mld_key") }; <% FCLTHeader.Requires({js: ["../mld/mld_list.js"]}) -var mld_key = getQParamInt("mld_key"); // altijd verplicht mld_key var urole = getQParamSafe("urole", "fe"); var outputmode = getQParamInt("outputmode", 0); var tracking = getQParamInt("tracking", (urole=="fe"?0:1)) == 1; // tracking erbij tonen? Onderdrukken met 0 diff --git a/APPL/MLD/mld_show_opdr.asp b/APPL/MLD/mld_show_opdr.asp index 2f01dde3a1..664cf6c3cc 100644 --- a/APPL/MLD/mld_show_opdr.asp +++ b/APPL/MLD/mld_show_opdr.asp @@ -10,7 +10,11 @@ Context: Note: -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key"); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; + +%> @@ -40,7 +44,6 @@ var backo = urole == "bo"; var minfo = urole == "mi"; var frontend = (!fronto & !backo & !minfo); -var opdr_key = getQParamInt("opdr_key"); var this_opdr = mld.func_enabled_opdracht(opdr_key); // wat mag ik zoal op deze opdracht var hasBOread = this_opdr.canReadBOF || this_opdr.canReadORD; var hasBO2read = this_opdr.canReadBO2; diff --git a/APPL/MLD/opdr_accept.asp b/APPL/MLD/opdr_accept.asp index 29947d0be3..e46ab87c40 100644 --- a/APPL/MLD/opdr_accept.asp +++ b/APPL/MLD/opdr_accept.asp @@ -11,6 +11,10 @@ <% var JSON_Result = true; + +var opdr_key_arr = getFParamIntArray("opdr_key"); +if (opdr_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key_arr[0] }; %> @@ -20,7 +24,6 @@ var JSON_Result = true; <% /***** Get webform parameters *****/ -var opdr_key_arr = getFParamIntArray("opdr_key"); var hltactive = getFParamInt("hltactive", 0) == 1; // Onderbreek de actieve opdracht. var result = { message: "", success: false }; diff --git a/APPL/MLD/opdr_approve.asp b/APPL/MLD/opdr_approve.asp index 83852cd311..a5d5374726 100644 --- a/APPL/MLD/opdr_approve.asp +++ b/APPL/MLD/opdr_approve.asp @@ -11,6 +11,10 @@ <% var JSON_Result = true; + +var opdr_key_arr = getFParamIntArray("opdr_key"); +if (opdr_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key_arr[0] }; %> @@ -20,11 +24,8 @@ var JSON_Result = true; <% protectRequest.validateToken(); -/***** Get webform parameters *****/ -var opdr_key_arr = getFParamIntArray("opdr_key"); var result = { message: "", success: false }; -/***** End get webform parameters *****/ var result = {}; var tobeapproved = 0; diff --git a/APPL/MLD/opdr_cancel_confirm.asp b/APPL/MLD/opdr_cancel_confirm.asp index 0dd316309a..29f6483933 100644 --- a/APPL/MLD/opdr_cancel_confirm.asp +++ b/APPL/MLD/opdr_cancel_confirm.asp @@ -10,7 +10,10 @@ Context: Note: -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; +%> @@ -20,9 +23,6 @@ <% FCLTHeader.Requires({ plugins: ["jQuery"] }); -/***** Get webform parameters *****/ -var opdr_key = getQParamInt("opdr_key", -1); - user.auth_required_or_abort(opdr_key > 0); // Hebben we een opdracht key gekregen? // Controleren of ik deze opdracht mag annuleren diff --git a/APPL/MLD/opdr_cancel_save.asp b/APPL/MLD/opdr_cancel_save.asp index b165e4721b..e52b9711c4 100644 --- a/APPL/MLD/opdr_cancel_save.asp +++ b/APPL/MLD/opdr_cancel_save.asp @@ -15,16 +15,15 @@ <% var JSON_Result = true; +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; %> - - <% protectRequest.validateToken(); -var opdr_key = getQParamInt("opdr_key", -1); user.auth_required_or_abort(opdr_key > 0); // Hebben we een opdracht key gekregen? // Controleren of ik deze opdracht mag annuleren diff --git a/APPL/MLD/opdr_close_confirm.asp b/APPL/MLD/opdr_close_confirm.asp index 79ea4e8cae..647d685f7c 100644 --- a/APPL/MLD/opdr_close_confirm.asp +++ b/APPL/MLD/opdr_close_confirm.asp @@ -14,7 +14,11 @@ er wordt dan ook geen opmerking gevraagd B Rechtstreeks vanuit showmode opdracht -*/ %> +*/ +var opdr_key_arr = getQParamIntArray("opdr_key"); +if (opdr_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key_arr[0] }; +%> @@ -29,7 +33,6 @@ FCLTHeader.Requires({plugins: ["jQuery"], js: ["date.js", "jquery.timepicker-table.js"], css: ["timePicker-table.css"]}); -var opdr_key_arr = getQParamIntArray("opdr_key"); // Als de opdrachten niet sequentieel uitgevoerd moeten worden, dan wordt er ook geen onderbroken opdracht gevonden. var hltopdr = mld.gethltopdrachten(opdr_key_arr[0]); var reqStatusEmptyMelding = []; diff --git a/APPL/MLD/opdr_close_save.asp b/APPL/MLD/opdr_close_save.asp index 04832e5210..dea8ea0546 100644 --- a/APPL/MLD/opdr_close_save.asp +++ b/APPL/MLD/opdr_close_save.asp @@ -15,6 +15,9 @@ */ var JSON_Result = true; +var opdr_key_arr = getQParamIntArray("opdr_key"); +if (opdr_key_arr.length) + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key_arr[0] }; %> @@ -57,7 +60,6 @@ function writeOpdrOpmToMld() mld.trackmeldingupdate(mld_opdr.mld_key, L("lcl_mld_is_mldupd") + "\n" + mldUpd.trackarray.join("\n")); } -var opdr_key_arr = getQParamIntArray("opdr_key"); var mld_hlt = (Request.Form("mld_hlt").count == 1); var result = {}; var ingesloten = []; diff --git a/APPL/MLD/opdr_edit_note.asp b/APPL/MLD/opdr_edit_note.asp index 25d996471d..5b1326122d 100644 --- a/APPL/MLD/opdr_edit_note.asp +++ b/APPL/MLD/opdr_edit_note.asp @@ -9,7 +9,10 @@ Parameters: fronto/backo Context: vanuit opdracht-detail/overzicht Note: -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key"); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; +%> @@ -20,7 +23,6 @@ <% FCLTHeader.Requires({ plugins: [] }); -var opdr_key = getQParamInt("opdr_key"); var this_opdr = mld.func_enabled_opdracht(opdr_key); // wat mag ik zoal op deze opdracht user.auth_required_or_abort(this_opdr.canEditOpdrNote); diff --git a/APPL/MLD/opdr_edit_note_save.asp b/APPL/MLD/opdr_edit_note_save.asp index 971bdd18fe..57e5dc93ae 100644 --- a/APPL/MLD/opdr_edit_note_save.asp +++ b/APPL/MLD/opdr_edit_note_save.asp @@ -14,6 +14,8 @@ */ var JSON_Result = true; +var opdr_key = getQParamInt("opdr_key"); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; %> @@ -21,7 +23,6 @@ var JSON_Result = true; <% -var opdr_key = getQParamInt("opdr_key"); var note_key = getQParamInt("note_key", -1); var note = getFParam("note", ""); diff --git a/APPL/MLD/opdr_list.asp b/APPL/MLD/opdr_list.asp index b11e8e780f..a983a57a97 100644 --- a/APPL/MLD/opdr_list.asp +++ b/APPL/MLD/opdr_list.asp @@ -11,7 +11,9 @@ optioneel: allerlei zoekcriteria Context: Vanuit een Facilitor ASP die een lijstje van opdrachten wil tonen (in een iframe) Note: -*/ %> +*/ +var LOCKED_USER_OK = { "xmlnode": "melding", "key": getQParamInt("mld_key", null) }; +%> diff --git a/APPL/MLD/opdr_show_note.asp b/APPL/MLD/opdr_show_note.asp index 9ce426d89b..eb382ec55e 100644 --- a/APPL/MLD/opdr_show_note.asp +++ b/APPL/MLD/opdr_show_note.asp @@ -11,7 +11,10 @@ Note: -*/%> +*/ +var opdr_key = getQParamInt("opdr_key"); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; +%> @@ -21,7 +24,6 @@ <% FCLTHeader.Requires({ }) -var opdr_key = getQParamInt("opdr_key"); var urole = getQParamSafe("urole", "fe"); var embedded = getQParamInt("embedded", -1); var outputmode = getQParamInt("outputmode", 0); diff --git a/APPL/PDA/melding.asp b/APPL/PDA/melding.asp index e8ee9c6719..101f4ba7ce 100644 --- a/APPL/PDA/melding.asp +++ b/APPL/PDA/melding.asp @@ -18,7 +18,11 @@ Je kunt en moet eenkostenplaats invullen: - als bij vakgroeptype Defaultwaarde kosten klant "Standaard Aan" is - als bij Vakgroep Kostenplaats verplicht aangevinkt is -*/ %> +*/ +var mld_key = getQParamInt("mld_key",-1); +var LOCKED_USER_OK = { "xmlnode": "melding", "key": mld_key }; + +%> @@ -36,7 +40,6 @@ FCLTHeader.Requires({ js: ["./modernizr-3.3.0.custom.min.js"] }); FCLTHeader.Requires({plugins: ["suggest"]}); -var mld_key = getQParamInt("mld_key",-1); var action = getQParam("action", ""); var qrc = getQParamInt("qrc", 0) != 0; var meldbron_key = getQParamInt("meldbronkey", 7); // 7 = mobile diff --git a/APPL/PDA/order.asp b/APPL/PDA/order.asp index 0dcec8a912..e0f93077ea 100644 --- a/APPL/PDA/order.asp +++ b/APPL/PDA/order.asp @@ -4,7 +4,10 @@ $Id$ TODO: lijkt mij dat er gewoon naar ../mld_close resp. ../opdr_close.asp moet worden gesubmit? -*/ %> +*/ +var opdr_key = getQParamInt("opdr_key", -1); +var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": opdr_key }; +%> @@ -24,7 +27,6 @@ FCLTHeader.Requires({ plugins: ["suggest"] , js: ["../mld/mld_edit_opdr.js", "jquery.timepicker-table.js"], css: ["timePicker-table.css"]}); -var opdr_key = getQParamInt("opdr_key", -1); var mld_key = getQParamInt("mld_key", -1); var copy = false; diff --git a/APPL/Shared/BijlagenForm.asp b/APPL/Shared/BijlagenForm.asp index 2f322e2b7b..140d7cf003 100644 --- a/APPL/Shared/BijlagenForm.asp +++ b/APPL/Shared/BijlagenForm.asp @@ -27,7 +27,15 @@ Met TAMPER bescherming! TODO: pMulti, Reado en encrypt zelf bepalen uit key, Module, en Kenmerk_key, ach, we hebben tamper bescherming -*/ %> +*/ +var pKey = getQParamInt("key", -1); +var pModule = getQParamSafe("module"); +var pNiveau = getQParamSafe("niveau", ""); +if (pModule == "MLD" && pNiveau == "M") + var LOCKED_USER_OK = { "xmlnode": "melding", "key": pKey }; +else if (pModule == "MLD" && pNiveau == "O") + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": pKey }; +%> @@ -37,10 +45,7 @@ protectQS.verify({ allowparams: ["no_autoscroll"]}); // tamper check // key of folder wordt doorgegeven -var pKey = getQParamInt("key", -1); -var pNiveau = getQParamSafe("niveau", ""); -var pModule = getQParamSafe("module"); var pKenmerk_key = getQParamInt("kenmerk_key", -1); var pMulti = getQParamInt("multi", 0) == 1; var pReado = getQParamInt("reado", 0) == 1; @@ -48,7 +53,8 @@ var pReado = getQParamInt("reado", 0) == 1; var showFilter = getFParam("showFilter", ""); // zoek mogelijkheid binnen lijst bestanden var pAlgLevel = getQParam("kenmerk_module", ""); -var transitParam = buildTransitParam(["key", "module", "niveau", "kenmerk_key", "encrypt", "extFilter", "pregexp", "showFilter", "reado", "multi", "tmpfolder", "kenmerk_module"]); +var transitParam = buildTransitParam(["key", "module", "niveau", "kenmerk_key", "encrypt", "extFilter", "pregexp", + "showFilter", "reado", "multi", "tmpfolder", "kenmerk_module"]); params = flexProps(pModule, pKey, String(pKenmerk_key), pNiveau, {alglevel: pAlgLevel}); diff --git a/APPL/Shared/BijlagenForm_delete.asp b/APPL/Shared/BijlagenForm_delete.asp index dee0239d1b..0e2d99fe3b 100644 --- a/APPL/Shared/BijlagenForm_delete.asp +++ b/APPL/Shared/BijlagenForm_delete.asp @@ -11,6 +11,14 @@ Note: */ var JSON_Result = true; + +var pModule = getQParamSafe("module"); +var pNiveau = getQParamSafe("niveau", ""); +var pKey = getQParamInt("key", -1); +if (pModule == "MLD" && pNiveau == "M") + var LOCKED_USER_OK = { "xmlnode": "melding", "key": pKey }; +else if (pModule == "MLD" && pNiveau == "O") + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": pKey }; %> @@ -20,12 +28,9 @@ var JSON_Result = true; protectQS.verify(); // tamper check protectRequest.validateToken(); -var pKey = getQParamInt("key", -1); -var pModule = getQParamSafe("module"); -var pNiveau = getQParamSafe("niveau", ""); var pKenmerk_key = getQParamInt("kenmerk_key", -1); var pAlgLevel = getQParam("kenmerk_module", ""); -var pDoDelete = getQParam("DoDelete", ""); +var pDoDelete = getQParam("DoDelete", ""); // te verwijderen bestand var params = flexProps(pModule, pKey, String(pKenmerk_key), pNiveau, {alglevel: pAlgLevel}); diff --git a/APPL/Shared/Common.inc b/APPL/Shared/Common.inc index 511601f36e..10c368763b 100644 --- a/APPL/Shared/Common.inc +++ b/APPL/Shared/Common.inc @@ -249,15 +249,22 @@ if (S("sys_ip_lockmode") > 0) // Zijn we bekend? Zo niet dan naar login.asp om dat uit te zoeken var user_key = Session("user_key") || -1; -if (user_key < 0 && typeof LOCKED_USER_OK != "undefined" && Session("locked_user_key") > 0) + +var user_allowed = Session("locked_user_allowed") || []; + +if (user_key < 0 && typeof LOCKED_USER_OK != "undefined" && user_allowed.length) // Is de huidige pagina geschikt voor locked users? { - var user_allowed = Session("locked_user_allowed"); - if (LOCKED_USER_OK === true || - user_allowed[LOCKED_USER_OK.xmlnode] == LOCKED_USER_OK.key) + for (var i = 0; i < user_allowed.length; i++) { - var user_key = Session("locked_user_key"); - Session("user_lang") = "NL"; - Session("time_zone") = "Europe/Amsterdam" + if (LOCKED_USER_OK === true || + (user_allowed[i].xmlnode == LOCKED_USER_OK.xmlnode && + user_allowed[i].key == LOCKED_USER_OK.key)) + { + var user_key = user_allowed[i].locked_user_key; + Session("user_lang") = "NL"; + Session("time_zone") = "Europe/Amsterdam" + break; + } } } diff --git a/APPL/Shared/UploadForm_save.asp b/APPL/Shared/UploadForm_save.asp index 1b3490cc35..b0ec58785b 100644 --- a/APPL/Shared/UploadForm_save.asp +++ b/APPL/Shared/UploadForm_save.asp @@ -16,6 +16,14 @@ */ if (Server.ScriptTimeout < 600) Server.ScriptTimeout = 600; // 10 minuten moet echt genoeg zijn + +var pKey = getQParamInt("key", -1); +var pModule = getQParamSafe("module"); +var pNiveau = getQParamSafe("niveau", ""); +if (pModule == "MLD" && pNiveau == "M") + var LOCKED_USER_OK = { "xmlnode": "melding", "key": pKey }; +else if (pModule == "MLD" && pNiveau == "O") + var LOCKED_USER_OK = { "xmlnode": "opdracht", "key": pKey }; %> @@ -30,9 +38,6 @@ protectQS.verify(); // tamper check FCLTHeader.Requires({ plugins:["jQuery"] }); -var pKey = getQParamInt("key", -1); -var pNiveau = getQParamSafe("niveau", ""); -var pModule = getQParamSafe("module"); var pKenmerk_key = getQParamInt("kenmerk_key", -1); var pAlgLevel = getQParam("kenmerk_module", ""); diff --git a/APPL/Shared/xml_converter.inc b/APPL/Shared/xml_converter.inc index 1a30d8cba6..738b882e06 100644 --- a/APPL/Shared/xml_converter.inc +++ b/APPL/Shared/xml_converter.inc @@ -49,6 +49,25 @@ function STR2Stream(xmlstr, xslfile, Stream, params) xslproc.transform(); p_bodyhtml = xslproc.output; + // eerst hmac(urlstring, prs_key) vervangen + // hmac(/?u=melding&k=1234&luk=33083,33083) wordt iets van + // /?u=melding&k=1234&luk=33083&hmac=1234567890:ahebher9e8234r34 + // protectQS.create(string, { sleutel: "abcde", // van 33083, niet de huidige persoon! + // no_user_key: true } + var hmacs = p_bodyhtml.match(/(hmac\([^\)]*\))/g); // heeft nu array van hmac(/?u=melding&k=1234&luk=33083,33083) + for (var i =0; hmacs && i < hmacs.length; i++) + { + var params = hmacs[i].match(/\(([^,]+)\,(\d+)\)/); + if (params.length == 3) + { + var url = params[1]; + var key = params[2]; + var newurl = protectQS.create(url, { sleutel: "abcd", no_user_key: true }); + p_bodyhtml = p_bodyhtml.replace(hmacs[i], newurl); + } + } + + var startPos = p_bodyhtml.indexOf("qrc=") + 4; var quote = p_bodyhtml.substr(startPos, 1); var eindPos = p_bodyhtml.indexOf(quote, startPos + 2);