diff --git a/APPL/API2/TESTER/api2_tester.html b/APPL/API2/TESTER/api2_tester.html
index 2597e09d47..bdad821dd6 100644
--- a/APPL/API2/TESTER/api2_tester.html
+++ b/APPL/API2/TESTER/api2_tester.html
@@ -43,7 +43,7 @@
|
-
+ |
|
|
diff --git a/APPL/API2/api_notes.asp b/APPL/API2/api_notes.asp
index 775eae51f9..cd253b2f23 100644
--- a/APPL/API2/api_notes.asp
+++ b/APPL/API2/api_notes.asp
@@ -22,4 +22,5 @@
<%
api2_rest.process(new model_notes(getQParam("module", "").toUpperCase()));
+
%>
\ No newline at end of file
diff --git a/APPL/API2/model_notes.inc b/APPL/API2/model_notes.inc
index 9f05eaab43..b01bbedf11 100644
--- a/APPL/API2/model_notes.inc
+++ b/APPL/API2/model_notes.inc
@@ -59,7 +59,6 @@ SELECT 'PRJ'
%>
-
<%
function model_notes(module)
@@ -129,8 +128,53 @@ function model_notes(module)
]
};
- // TODO: REST_GET niet (rechtstreeks) toestaan?
- this.REST_GET = function _GET(params)
+ function _check_authorization (params, method)
+ {
+ params.message = "";
+
+ if (params.filter.module == "MLD")
+ {
+ var autfunction = (params.filter.scope == "fe"? "WEB_MLDFOF" : "WEB_MLDBOF");
+ params.authparams = user.checkAutorisation(autfunction, null, null, true); // pessimistisch
+
+ switch (method)
+ {
+ case "GET":
+ if (params.filter.parent_key)
+ {
+ var mld_key = params.filter.parent_key;
+ var this_mld = mld.func_enabled_melding(mld_key, params);
+ user.auth_required_or_abort(this_mld.canReadNotes);
+ }
+ break;
+ case "DELETE":
+ // Notes mogen niet worden verwijderd.
+ // en verder met de autorisatie van PUT...
+ case "PUT":
+ var mld_key = params.filter.parent;
+ var this_mld = mld.func_enabled_melding(mld_key, params);
+ user.auth_required_or_abort(this_mld.canWriteNotes);
+ params.isNew = false;
+ break;
+ case "POST":
+ var mld_key = params.filter.parent_key;
+ var this_mld = mld.func_enabled_melding(mld_key, params);
+ user.auth_required_or_abort(!this_mld.canWriteNotes);
+ params.isNew = true;
+ break;
+ }
+ params.func_enabled = this_mld || {};
+ }
+ else
+ {
+ // Voor alle andere modules toevoegen niet toestaan.
+ if (method == "POST")
+ user.auth_required_or_abort(false);
+ }
+ }
+
+ // TODO: REST_GET niet (rechtstreeks) toestaan?
+ this.REST_GET = function _GET(params)
{
var query = api2.sqlfields(params, this );
var wheres = api2.sqlfilter(params, this);
@@ -165,7 +209,8 @@ function model_notes(module)
this.REST_POST = function (params, jsondata) /* new note */
{
- params.isNew = true;
+ params.filter.parent_key = jsondata.parent;
+ _check_authorization(params, "POST");
//
var dbfields = api2.update_fields(params, this, jsondata); // Build updater
dbfields["id"] = { dbs: tabel.id, typ: "key", seq: tabel.seq };