diff --git a/APPL/API2/api2_rest.inc b/APPL/API2/api2_rest.inc index 07bd6b0c29..261a63e7e7 100644 --- a/APPL/API2/api2_rest.inc +++ b/APPL/API2/api2_rest.inc @@ -15,7 +15,7 @@ <% api2_rest = { - authenticate: function _authenticate(model) + authenticate: function _authenticate() { var APIKEY; if (S("fac_api_key_in_url")) @@ -84,44 +84,50 @@ api2_rest = { oRs.Close() } + /* global */ user = new Perslid(user_key); // wordt mogelijk nog overruled door imporsonate + CheckForLogging(Request.QueryString("logging")); // Nu pas kan autorisatie via user gecontroleerd worden + }, + impersonate: function _impersonate(model) + { // Impersonate? (anno jan-2016 in de praktijk nergens gebruikt, kan mogelijk vervallen) + if (!S("fac_api_allow_impersonate") || !model.impersonate_auth) + return; + var IMPERS; if (S("fac_api_key_in_url")) IMPERS = getQParam("SWITCHUSER", ""); if (!IMPERS && Request.ServerVariables("HTTP_X_FACILITOR_SWITCH_USER").Count) IMPERS = String(Request.ServerVariables("HTTP_X_FACILITOR_SWITCH_USER")); // Meegegeven als X-FACILITOR-SWITCH-USER - if (IMPERS && S("fac_api_allow_impersonate")) - { - var sql = "SELECT prs_perslid_key, prs_perslid_naam" - + " FROM prs_perslid" - + " WHERE prs_perslid_verwijder IS NULL" - + " AND prs_perslid_oslogin = " + safe.quoted_sql_upper(IMPERS); - var oRs = Oracle.Execute(sql); - if (oRs.Eof) - { - Response.Status = "412 Invalid X-Facilitor-Switch-User header"; - Response.End; - }; - __Log("IMPERS User is: " + oRs("prs_perslid_naam").Value); - var other_user_key = oRs("prs_perslid_key").Value; - oRs.Close(); - if (model.impersonate_auth) - { - var xfunc = user.func_enabled2(model.module, { prs_key: other_user_key, isOptional: true }); - var can = (xfunc && xfunc.canRead(model.impersonate_auth)); - if (can) - /* global */ user_key = other_user_key; - } - if (user_key != other_user_key) - { - Response.Status = "412 Unauthorized X-Facilitor-Switch-User header"; - Response.End; - } - } + if (!IMPERS) + return; - /* global */ user = new Perslid(user_key); - CheckForLogging(Request.QueryString("logging")); // Nu pas kan autorisatie via user gecontroleerd worden + var sql = "SELECT prs_perslid_key, prs_perslid_naam" + + " FROM prs_perslid" + + " WHERE prs_perslid_verwijder IS NULL" + + " AND prs_perslid_oslogin = " + safe.quoted_sql_upper(IMPERS); + var oRs = Oracle.Execute(sql); + if (oRs.Eof) + { + Response.Status = "412 Invalid X-Facilitor-Switch-User header"; + Response.End; + }; + __Log("IMPERS User is: " + oRs("prs_perslid_naam").Value); + var other_user_key = oRs("prs_perslid_key").Value; + oRs.Close(); + + var xfunc = user.func_enabled2(model.module, { prs_key: other_user_key, isOptional: true }); + var can = (xfunc && xfunc.canRead(model.impersonate_auth)); + if (can) + { + /* global */ user_key = other_user_key; + /* global */ user = new Perslid(user_key); + } + else + { + Response.Status = "412 Unauthorized X-Facilitor-Switch-User header"; + Response.End; + } }, process: function _process(model) { @@ -129,10 +135,13 @@ api2_rest = { Session.Codepage = 65001; // We doen *uitsluitend* utf-8 Response.Charset = 'utf-8'; + api2_rest.authenticate(); + // Kip-ei: de omzetting naar new model() mag pas als je geauthenticeerd bent + // Hieroboven willen we heb echter al wel meegeven if (typeof model == "function") // Nieuwe stijl is het een function. Even compatible. model = new model(); - api2_rest.authenticate(model); + api2_rest.impersonate(model); var method = String(Request.ServerVariables("REQUEST_METHOD"));