FSN#32704 Beheerders meer rapporten laten toevoegen

svn path=/Website/branches/v2015.1/; revision=25308
2015-05-27 12:03:10 +00:00
parent cdb424b0de
commit a982636c57
1 changed files with 23 additions and 15 deletions
--- a/APPL/API2/model_reportsx.inc
+++ b/APPL/API2/model_reportsx.inc
@@ -48,6 +48,15 @@ function model_reportsx(usrrap_key, params)
                          }
              };

+    this.is_safe_view = function(viewname)
+    {
+        if (viewname.match(/^..._V_UDR_.*/i))
+            return true;
+        if (viewname.substr(0, 5).toUpperCase() == customerId + "_")
+            return true;
+        return false;
+    };
+
    this._check_authorization = function(params, method)
        {
            params.message = "";
@@ -78,14 +87,6 @@ function model_reportsx(usrrap_key, params)
        __Log(new_model);
    };

-    function isEmptyObject( obj ) {
-		var name;
-		for ( name in obj ) {
-			return false;
-		}
-		return true;
-	}
-
    this.REST_GET = function _reportsx_GET(params, jsondata)
        {
            var query = api2.sqlfields(params, this);
@@ -120,6 +121,8 @@ function model_reportsx(usrrap_key, params)
                this.includes["columns"].model._view2columns(params.filter.id);
                var json = api2.sql2json (params, sql, this );
            }
+            if (json.length == 1 && !this.is_safe_view(json[0].viewname))
+                this.fields["viewname"].readonly = true;

            return json;
        };
@@ -146,6 +149,10 @@ function model_reportsx(usrrap_key, params)
    this.REST_POST = function _reportsx_REST_POST(params, jsondata) /* new report */
        {
            this._check_authorization(params, "POST");
+            if (user.oslogin() != "_FACILITOR") // Die mag alles
+            {
+                user.auth_required_or_abort(this.is_safe_view(jsondata.report.viewname));
+            }

            var fields = api2.update_fields(params, this, jsondata); // Build updater
            this._analyze_fields(fields, params, jsondata);
@@ -178,16 +185,17 @@ function model_reportsx(usrrap_key, params)

    if (!params.internal)
    {
-        if (user.oslogin() != "_FACILITOR") // Alleen _FACILITOR mag nieuwe rapporten toevoegen
-        {                                   // (PRSSYS mag wel clonen)
-            this.REST_POST = false;
-            this.fields["viewname"].readonly = true;
-        }
-        else
+        if (user.oslogin() == "_FACILITOR")
            settings.overrule_setting("fac_usrrap_mode", 0xff); // _FACILITOR mag alles
+        else
+        {
+            // ooit iets als this.fields["viewname"].foreignsql = "SELECT object_name FROM user_objects WHERE objecttype = 'VIEW' AND <<safe>>";
+            // scaffolding.inc / scf_RWFIELDTR moet dan wel foreignsql gaan ondersteunen
+        }

        if (!user.checkAutorisation("WEB_PRSSYS", true))
-        {
+        {   // Dit heeft betrekking op de zoekvelden van appl/fac/fac_reportx_show.asp?mode=search
+            // Omdat wij standaard linken naaar mode=list speelt dit zelden.
            for (var fld in this.fields)
            {
                if (fld != "id" && fld != "name" && fld != "description")