FSN#33833 Rapport mogelijkheden sturen via S("fac_usrrap_mode")

svn path=/Website/trunk/; revision=26449
2015-09-23 11:08:44 +00:00
parent cf4bd33eee
commit ef7fc60fa0
4 changed files with 45 additions and 21 deletions
--- a/APPL/API2/model_reportcolumns.inc
+++ b/APPL/API2/model_reportcolumns.inc
@@ -13,8 +13,11 @@
 */

 // model_reportcolumns is uitsluitend beschikbaar onder model_reports(x) die de autorisatie dan ook doet
+// TODO: neen, security lek FSN#33869
 function model_reportcolumns(usrrap_key, params)
 {
+    var rap_key = getQParamInt("fac_usrrap_key", -1); // JGL: Lelijk
+
    params = params || {};
    this.table = "fac_usrrap_cols";
    this.primary = "fac_usrrap_cols_key";
@@ -247,7 +250,7 @@ function model_reportcolumns(usrrap_key, params)

    this.REST_GET = function _GET(params)
        {
-            // De modal detail popup gebruikt dit echter nog wel
+            // De modal detail popup gebruikt dit echter nog wel.
            var query = api2.sqlfields(params, this );
            var wheres = api2.sqlfilter(params, this);
            query.wheres = query.wheres.concat(wheres);
@@ -294,6 +297,19 @@ function model_reportcolumns(usrrap_key, params)
        }
    // REST_DELETE: not supported

+    if (rap_key > 0)
+    {
+        // var rap_data = model_reportsx(rap_key); te veel recursie
+        var sql = "SELECT fac_usrrap_functie"
+                + "  FROM fac_usrrap"
+                + " WHERE fac_usrrap_key = " + rap_key;
+        var oRs = Oracle.Execute(sql);
+        var functie = oRs("fac_usrrap_functie").Value || 0;
+        oRs.Close();
+        if (functie & 32) // template
+            this.REST_PUT = false;
+    }
+
    if (params.internal)
    {
        this.REST_POST = this._REST_POST; // Voor de clone-report
--- a/APPL/API2/model_reportsx.inc
+++ b/APPL/API2/model_reportsx.inc
@@ -33,7 +33,7 @@ function model_reportsx(usrrap_key, params)
                    "authorisation": {  dbs: "fac_functie_key",          typ: "key",      label: L("lcl_usrrap_functie"),  foreign: "fac_functie"},
                    "group"        : {  dbs: "fac_usrrap_groep",         typ: "varchar",  label: L("lcl_usrrap_groep"),    filter: "like" },
                    "styling"      : {  dbs: "fac_usrrap_functie",       typ: "key", label: L("lcl_usrrap_styling"),
-                                          LOV: L("lcl_usrrap_stylingLOV") }, // 0;on-gestylede;1;gestylede;2;procedure;3;procedure gestyled;8;Via tabelizer;16;mobile
+                                          LOV: L("lcl_usrrap_stylingLOV") }, // 0;on-gestylede;1;gestylede;2;procedure;3;procedure gestyled;8;Via tabelizer;16;mobile;32;UDR Template

                    "urllink"      : {  dbs: "fac_usrrap_urllink",       typ: "varchar",  label: L("lcl_usrrap_urllink")},
                    "autorefresh"  : {  dbs: "fac_usrrap_autorefresh",   typ: "check",    label: L("lcl_usrrap_autorefresh")},
@@ -136,13 +136,22 @@ function model_reportsx(usrrap_key, params)
                sql += ", fac_usrrap_cols_volgnr";

            var json = api2.sql2json (params, sql, this);
-            if (json.length == 1 && params.include && inArray("columns", params.include))
+            if (json.length == 1)
            {
-                this.includes["columns"].model._view2columns(params.filter.id, json[0].lastrefresh, json[0].columns);
-                var json = api2.sql2json (params, sql, this ); // En nu opnieuw ophalen
+                var rap_data = json[0];
+                if (params.include && inArray("columns", params.include))
+                {
+                    this.includes["columns"].model._view2columns(params.filter.id, rap_data.lastrefresh, rap_data.columns);
+                    var json = api2.sql2json (params, sql, this ); // En nu opnieuw ophalen
+                }
+                if ("viewname" in rap_data && !this.is_safe_view(rap_data.viewname))
+                    this.fields["viewname"].readonly = true;
+
+                if (rap_data.styling && rap_data.styling.id & 32) // UDR Template
+                {
+                    this.REST_PUT = false; // Niets te updaten, alleen clonen
+                }
            }
-            if (json.length == 1 && "viewname" in json[0] && !this.is_safe_view(json[0].viewname))
-                this.fields["viewname"].readonly = true;

            return json;
        };
@@ -202,13 +211,12 @@ function model_reportsx(usrrap_key, params)
    if (!params.internal)
    {
        if (user.oslogin() == "_FACILITOR")
-            settings.overrule_setting("fac_usrrap_mode", 0xff); // _FACILITOR mag alles
+            settings.overrule_setting("fac_usrrap_mode", 1); // _FACILITOR mag alles
        else
        {
            // ooit iets als this.fields["viewname"].foreignsql = "SELECT object_name FROM user_objects WHERE objecttype = 'VIEW' AND <<safe>>";
            // scaffolding.inc / scf_RWFIELDTR moet dan wel foreignsql gaan ondersteunen
        }
-
        if (S("fac_usrrap_mode") != 1)
        {
            this.fields["count"].readonly = true;
--- a/APPL/FAC/fac_usrrapx_clone.asp
+++ b/APPL/FAC/fac_usrrapx_clone.asp
@@ -8,14 +8,12 @@

    Parameters:
    Context:
-    Note:           De bron kan een ouderwets view-rapport of een usrrap_cols rapport zijn
-                    Het resultaat is echter in beide gevallen een usrrap_cols rapport.
+    Note:
 */
 var JSON_Result = true;
 %>
 <!-- #include file="../Shared/common.inc" -->
 <!-- #include file="../shared/save2db.inc" -->
-<!-- #include file="./fac_usrrap.inc" -->
 <!-- #include file="../api2/api2.inc" -->
 <!-- #include file="../api2/model_reportsx.inc" -->
 <%
@@ -26,6 +24,7 @@ var usrrap_key = getQParamInt("usrrap_key");

 var oldrap = new model_reportsx(usrrap_key, { include: ["columns"] });
 oldrap.data.name = "Clone: " + toDateTimeString(new Date, true) + " " + oldrap.data.name;
+oldrap.data.styling.id = (oldrap.data.styling.id & (~32)); // Template bitje er af strippen

 var newrap = new model_reportsx(-1, { internal: true }); // internal zodat POST op kolommen wordt geaccepteerd
 var params = { isNew: true };
--- a/APPL/SCF/scaffolding_show.inc
+++ b/APPL/SCF/scaffolding_show.inc
@@ -71,17 +71,18 @@ function scaffolding_show(model, scf_params)
      </head>
      <body id="showbody">
    <%  var buttons = [];
+        if (scf_params.show.buttons)
+        {
+          for (var i = 0; i < scf_params.show.buttons.length; i++)
+          {   // Als je een action opgeeft *zonder* haakjes voegen we automagisch de key en model toe
+              if (scf_params.show.buttons[i].action.indexOf("(") < 0)
+                  scf_params.show.buttons[i].action += "(" + key + ", '" + model.table + "')"
+              buttons.push(scf_params.show.buttons[i]);
+          }
+        }
+
        if (model["REST_PUT"]) // TODO: Eventueel autfunction testen?
        {
-          if (scf_params.show.buttons)
-          {
-            for (var i = 0; i < scf_params.show.buttons.length; i++)
-            {   // Als je een action opgeeft *zonder* haakjes voegen we automagisch de key en model toe
-                if (scf_params.show.buttons[i].action.indexOf("(") < 0)
-                    scf_params.show.buttons[i].action += "(" + key + ", '" + model.table + "')"
-                buttons.push(scf_params.show.buttons[i]);
-            }
-          }
          buttons.push({title: L("lcl_change"), action: "xxx_change()", icon: "wijzigen.png" });
          if (model["REST_DELETE"])
            buttons.push({title: L("lcl_delete"), action: "xxx_delete()", icon: "delete.png" });