admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MARX#84828 Verzoek tot zelfreset OTP codes door Mareon leveranciers doorvoeren

Browse Source 
svn path=/Website/trunk/; revision=68920
This commit is contained in:
Erik Groener
2025-05-06 14:36:59 +00:00
parent 926967448e
commit f5bd28c3a7
3 changed files with 41 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
APPL/PRS/prs.inc
View File

@@ -502,6 +502,25 @@ prs =
return result;
},
hasAutorisation: function(prs_key, func_code)
{
var result = {read: false, write: false};
var sql = "SELECT w.fac_gebruiker_prs_level_read"
+ " , w.fac_gebruiker_prs_level_write"
+ " FROM fac_v_webgebruiker w"
+ " , fac_functie f"
+ " WHERE w.fac_functie_key = f.fac_functie_key"
+ " AND w.prs_perslid_key = " + prs_key
+ " AND fac_functie_code = " + safe.quoted_sql_upper(func_code);
var oRs = Oracle.Execute(sql);
if (!oRs.EOF) {
result.read = oRs("fac_gebruiker_prs_level_read").Value < 9;
result.write = oRs("fac_gebruiker_prs_level_write").Value < 9;
}
oRs.Close();
return result;
},
set_flag: function(prs_key, flagbit)
{
var sql = "UPDATE prs_perslid"

63
APPL/PRS/prs_perslid_otp_clear.asp
View File

@@ -14,6 +14,7 @@ var JSON_Result = true;
<!--#include file="../Shared/common.inc"-->
<!--#include file="../aut/login.inc"-->
<!--#include file="../prs/prs.inc" -->
<%
protectRequest.validateToken();
@@ -22,51 +23,27 @@ var contactpersoon_key = getFParamInt("cp_key", -1);
if (theUser_key != user_key && !user.has(["WEB_FACFAC","WEB_PRSSYS","WEB_FACMGT"]))
abort_with_warning(L("lcl_no_auth"));
if (contactpersoon_key > 0)
{ // Controleer of de gebruiker van hetzelfde bedrijf is als de contactpersoon
// en of de gebruiker ook EXTREL rechten heeft.
var sql = "SELECT prs_perslid_key"
+ " FROM prs_contactpersoon"
+ " WHERE prs_bedrijf_key ="
+ " (SELECT prs_bedrijf_key"
+ " FROM prs_contactpersoon"
+ " WHERE prs_perslid_key = " + user_key
+ " )"
+ " AND prs_contactpersoon_key = " + contactpersoon_key;
var perslid_key = null;
var oRs = Oracle.Execute(sql);
if (!oRs.eof)
{
perslid_key = oRs("prs_perslid_key").Value;
if (perslid_key && (perslid_key != user_key))
{ // Gebruiker moet EXTREL rechten hebben
if (!user.has("WEB_EXTREL"))
perslid_key = null;
}
else
{ // zelf resetten mag niet
perslid_key = null;
}
}
oRs.Close();
if (!perslid_key)
{
abort_with_warning(L("lcl_no_auth"));
}
// Voor extrel mag nu de OTP gereset worden.
theUser_key = perslid_key;
var sql = "SELECT prs_perslid_key"
+ " FROM prs_contactpersoon"
+ " WHERE prs_contactpersoon_key = " + contactpersoon_key;
var oRs = Oracle.Execute(sql);
var prs_prskey = oRs("prs_perslid_key").Value;
oRs.Close();
var result = { success: true };
if (prs.checkAutorisation(theUser_key).writecontact && !prs.hasAutorisation(prs_prskey, "WEB_EXTREL").write && (prs_prskey != theUser_key))
{
var sql = "UPDATE prs_perslid"
+ " SET prs_perslid_otpsecret = NULL"
+ " , prs_perslid_otpcounter = NULL"
+ " WHERE prs_perslid_key = " + theUser_key;
Oracle.Execute(sql);
shared.trackaction("PRSLOG", theUser_key, L("lcl_otp_cleared"));
result.toaster = L("lcl_otp_cleared");
}
var sql = "UPDATE prs_perslid"
+ " SET prs_perslid_otpsecret = NULL"
+ " , prs_perslid_otpcounter = NULL"
+ " WHERE prs_perslid_key = " + theUser_key;
Oracle.Execute(sql);
shared.trackaction("PRSLOG", theUser_key, L("lcl_otp_cleared"));
var result = { success: true, toaster: L("lcl_otp_cleared") };
Response.Write(JSON.stringify(result));
Response.End;
%>

3
APPL/PRS/prs_show_contactpersoon.asp
View File

@@ -12,6 +12,7 @@
<!--#include file="../Shared/common.inc" -->
<!--#include file="../Shared/iface.inc" -->
<!--#include file="../Shared/persoonselector.inc" -->
<!--#include file="prs.inc" -->
<!--#include file="prs_flexkenmerk.inc" -->
<%
@@ -79,7 +80,7 @@ FCLTHeader.Requires({plugins:["jQuery"]})
if (user.iamContact()) // Als ik contactpersoon ben dan moet ik het ook van dit externe uitvoerende bedrijf zijn.
user.auth_required_or_abort(!prs_intern && user.iamContact(prs_bdrkey));
var isExtRel = (user.has("WEB_EXTREL") && (prs_prskey != user_key));
var isExtRel = (prs.checkAutorisation(user_key).writecontact && !prs.hasAutorisation(prs_prskey, "WEB_EXTREL").write && (prs_prskey != user_key));
// De user kan de contactpersoon verwijderen als
// 1) de persoon van het interne bedrijf niet is ingevuld OF