admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#34950 Geen new model() aanroepen voordat je authenticatie gedaan hebt

Browse Source 
svn path=/Website/trunk/; revision=28267
This commit is contained in:
Jos Groot Lipman
2016-02-23 15:44:30 +00:00
parent 3709a1033f
commit 84f2fa86a8
1 changed files with 41 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
APPL/API2/api2_rest.inc
View File

@@ -15,7 +15,7 @@
<%
api2_rest = {
authenticate: function _authenticate(model)
authenticate: function _authenticate()
{
var APIKEY;
if (S("fac_api_key_in_url"))
@@ -84,44 +84,50 @@ api2_rest = {
oRs.Close()
}
/* global */ user = new Perslid(user_key); // wordt mogelijk nog overruled door imporsonate
CheckForLogging(Request.QueryString("logging")); // Nu pas kan autorisatie via user gecontroleerd worden
},
impersonate: function _impersonate(model)
{
// Impersonate? (anno jan-2016 in de praktijk nergens gebruikt, kan mogelijk vervallen)
if (!S("fac_api_allow_impersonate") || !model.impersonate_auth)
return;
var IMPERS;
if (S("fac_api_key_in_url"))
IMPERS = getQParam("SWITCHUSER", "");
if (!IMPERS && Request.ServerVariables("HTTP_X_FACILITOR_SWITCH_USER").Count)
IMPERS = String(Request.ServerVariables("HTTP_X_FACILITOR_SWITCH_USER")); // Meegegeven als X-FACILITOR-SWITCH-USER
if (IMPERS && S("fac_api_allow_impersonate"))
{
var sql = "SELECT prs_perslid_key, prs_perslid_naam"
+ " FROM prs_perslid"
+ " WHERE prs_perslid_verwijder IS NULL"
+ " AND prs_perslid_oslogin = " + safe.quoted_sql_upper(IMPERS);
var oRs = Oracle.Execute(sql);
if (oRs.Eof)
{
Response.Status = "412 Invalid X-Facilitor-Switch-User header";
Response.End;
};
__Log("IMPERS User is: " + oRs("prs_perslid_naam").Value);
var other_user_key = oRs("prs_perslid_key").Value;
oRs.Close();
if (model.impersonate_auth)
{
var xfunc = user.func_enabled2(model.module, { prs_key: other_user_key, isOptional: true });
var can = (xfunc && xfunc.canRead(model.impersonate_auth));
if (can)
/* global */ user_key = other_user_key;
}
if (user_key != other_user_key)
{
Response.Status = "412 Unauthorized X-Facilitor-Switch-User header";
Response.End;
}
}
if (!IMPERS)
return;
/* global */ user = new Perslid(user_key);
CheckForLogging(Request.QueryString("logging")); // Nu pas kan autorisatie via user gecontroleerd worden
var sql = "SELECT prs_perslid_key, prs_perslid_naam"
+ " FROM prs_perslid"
+ " WHERE prs_perslid_verwijder IS NULL"
+ " AND prs_perslid_oslogin = " + safe.quoted_sql_upper(IMPERS);
var oRs = Oracle.Execute(sql);
if (oRs.Eof)
{
Response.Status = "412 Invalid X-Facilitor-Switch-User header";
Response.End;
};
__Log("IMPERS User is: " + oRs("prs_perslid_naam").Value);
var other_user_key = oRs("prs_perslid_key").Value;
oRs.Close();
var xfunc = user.func_enabled2(model.module, { prs_key: other_user_key, isOptional: true });
var can = (xfunc && xfunc.canRead(model.impersonate_auth));
if (can)
{
/* global */ user_key = other_user_key;
/* global */ user = new Perslid(user_key);
}
else
{
Response.Status = "412 Unauthorized X-Facilitor-Switch-User header";
Response.End;
}
},
process: function _process(model)
{
@@ -129,10 +135,13 @@ api2_rest = {
Session.Codepage = 65001; // We doen *uitsluitend* utf-8
Response.Charset = 'utf-8';
api2_rest.authenticate();
// Kip-ei: de omzetting naar new model() mag pas als je geauthenticeerd bent
// Hieroboven willen we heb echter al wel meegeven
if (typeof model == "function") // Nieuwe stijl is het een function. Even compatible.
model = new model();
api2_rest.authenticate(model);
api2_rest.impersonate(model);
var method = String(Request.ServerVariables("REQUEST_METHOD"));