admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FCLT#57811 Aanscherpen _FACILITOR en WEB_FACFAC bescherming

Browse Source 
svn path=/Website/branches/v2019.1/; revision=42525
This commit is contained in:
Jos Groot Lipman
2019-05-15 09:52:56 +00:00
parent b47fcbb7fb
commit b1b1b1bced
4 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
APPL/PRS/pchange_save.asp
View File

@@ -29,16 +29,18 @@ var clearpassword = getFParamInt("clear",0) == 1;
if (clearpassword && !xfunc.canWrite("WEB_PRSSYS") && !xfunc.canWrite("WEB_FACMGT"))
abort_with_warning(L("lcl_no_auth"));
var user_info = new Perslid(theUser_key);
// Als ik zelf geen PRSSYS heb mag ik niet het wachtwoord veranderen van mensen die dat wel hebben.
// Anders een security lek
if (!xfunc.canWrite("WEB_PRSSYS") && new Perslid(theUser_key).checkAutorisation("WEB_PRSSYS", true))
if (!xfunc.canWrite("WEB_PRSSYS") && user_info.has("WEB_PRSSYS"))
abort_with_warning(L("lcl_no_auth"));
// hetzelfde voor FACFAC
if (!xfunc.canWrite("WEB_FACFAC") && user_info.has("WEB_FACFAC"))
abort_with_warning(L("lcl_no_auth"));
// pass_expired alleen voor anderen
var pass_expired = theUser_key != user_key && getFParam("pass_expired", "off") == "on";
var user_info = new Perslid(theUser_key);
if ( Session("must_reset_password") != 1
&& theUser_key == user_key
&& ( (!xfunc.canWrite("WEB_PRSSYS") && !xfunc.canWrite("WEB_FACMGT") )

15
APPL/PRS/prs_edit_perslid.asp
View File

@@ -259,9 +259,18 @@ if (prs_key > 0) // Fotoblokje alleen bij bestaande records
useRWFIELD("prs_mobiel", "fld", L("lcl_prs_person_mobile"), prs_mobiel, {maxlength: 15});
manRWFIELD("prs_email", "fld", L("lcl_prs_person_email"), prs_email, {maxlength: 200});
}
if (prsauthparams.writesys || (S("prs_mgt_edit_login") && xfunc.canWrite("WEB_FACMGT"))) {
RWFIELDTR("prs_oslog", "fld", L("lcl_prs_person_login"), prs_oslog, {maxlength: 30});
RWFIELDTR("prs_oslog2", "fld", L("lcl_prs_person_login2"), prs_oslog2, {maxlength: 30});
if (prsauthparams.writesys || (S("prs_mgt_edit_login") && xfunc.canWrite("WEB_FACMGT")))
{
if (prs_oslog && prs_oslog.substr(0, 1) == "_" && !user.has("WEB_FACFAC"))
{
ROFIELDTR("fld", L("lcl_prs_person_login"), prs_oslog, {suppressEmpty: true});
ROFIELDTR("fld", L("lcl_prs_person_login2"), prs_oslog2, {suppressEmpty: true});
}
else
{
RWFIELDTR("prs_oslog", "fld", L("lcl_prs_person_login"), prs_oslog, {maxlength: 30});
RWFIELDTR("prs_oslog2", "fld", L("lcl_prs_person_login2"), prs_oslog2, {maxlength: 30});
}
if (prsauthparams.writetab)
{
RWFIELDTR("prs_apikey", "fld", L("lcl_prs_apiuser"), prs_apikey, {maxlength: 64});

3
APPL/PRS/prs_edit_perslid_save.asp
View File

@@ -23,6 +23,9 @@ var xfunc = user.func_enabled("*", null, null, prs_key>0?prs_key:null);
var prsauthparams = prs.checkAutorisation(prs_key);
user.auth_required_or_abort(prsauthparams.writeman || prsauthparams.writeuse || prsauthparams.writeself);
var prs_user = new Perslid(prs_key);
user.auth_required_or_abort(!prs_user.has("WEB_FACFAC") || user.has("WEB_FACFAC")); // WEB_FACFAC alleen als je het zelf ook hebt
var prs_tz = getFParam("prs_tz", "");
if (prs_tz != "")

4
APPL/PRS/prs_show_perslid.asp
View File

@@ -249,6 +249,10 @@ var prs_user = new Perslid(prs_key);
buttons.push({ title: L("lcl_impersonate"), icon: "impersonate.png", action: "prs_impersonate()", id: "bimpers" });
}
}
if (prs_user.has("WEB_FACFAC") && !user.has("WEB_FACFAC"))
{
buttons = []; // zelf geen WEB_FACFAC dan mag je echt niets meer
}
IFRAMER_HEADER(L("lcl_prs_persoon_frame"), buttons);
%>
<div id="show">