admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AAIT#39909 'anonieme' autorisatie vanuit een link in de bon of e-mail

Browse Source 
svn path=/Website/trunk/; revision=33787
This commit is contained in:
Jos Groot Lipman
2017-05-10 15:16:36 +00:00
parent fb78deffa2
commit f6584c2079
11 changed files with 170 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
APPL/ALG/alg.inc
View File

@@ -389,33 +389,33 @@ alg = {
return aresult;
},
calc_algm2: function _calc_algm2(alg_key, lvl)
{
{
var sql = "SELECT SUM (alg_ruimte_bruto_vloeropp) opp1, "
+ " SUM (alg_ruimte_opp_alt1) opp2, "
+ " SUM (alg_ruimte_opp_alt2) opp3 "
+ " FROM alg_ruimte r, alg_verdieping v "
+ " WHERE v.alg_verdieping_key = r.alg_verdieping_key "
+ " AND r.alg_ruimte_verwijder IS NULL";
if (lvl == "G")
{
sql += " AND alg_gebouw_key = " + alg_key;
}
if (lvl == "V")
{
if (lvl == "V")
{
sql += " AND r.alg_verdieping_key = " + alg_key;
}
var oRs = Oracle.Execute(sql);
var algm2 = { oppbruto: oRs("opp1").Value, oppalt1: oRs("opp2").Value, oppalt2: oRs("opp3").Value }
var algm2 = { oppbruto: oRs("opp1").Value, oppalt1: oRs("opp2").Value, oppalt2: oRs("opp3").Value }
oRs.Close();
return algm2;
return algm2;
}
}
}
%>

44
APPL/API/shorturl.asp
View File

@@ -38,7 +38,10 @@ __Log("== Entering shorturl.asp ==");
'locatie': { gui: 'appl/alg/alg_locatie.asp?key=' },
'melding': { gui: 'appl/mld/mld_melding.asp?mld_key=', mob: 'appl/pda/melding.asp?mld_key=' },
'message': { gui: 'appl/msg/msg_message.asp?message_key=' },
'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=', mob: 'appl/pda/order.asp?opdr_key=' },
'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=',
mob: 'appl/pda/order.asp?opdr_key=',
lckgui: 'appl/mld/mld_opdr_actions.asp?opdr_key=',
lckmob: 'appl/mld/mld_opdr_actions.asp?opdr_key=' },
'perslid': { gui: 'appl/prs/prs_perslid.asp?prs_key=', mob: 'appl/pda/user_info.asp?prs_key=' },
'reservering': { gui: 'appl/res/res_reservering.asp?rsv_ruimte_key=', mob: 'appl/pda/reservering.asp?rsv_ruimte_key=' },
'ruimte': { gui: 'appl/alg/alg_ruimte.asp?key=', mob: 'appl/pda/ruimte.asp?ruimte_key=' },
@@ -47,16 +50,33 @@ __Log("== Entering shorturl.asp ==");
}
var keyparam = getQParamInt("k", -1);
var locked_user_key = getQParamInt("luk", -1);
// TODO: beschermen met hmac
// Daarom nog niet geactiveerd
if (locked_user_key > 0)
{
var locked_bdradr_key = getQParamInt("lbdr", -1);
if (locked_bdradr_key > 0)
{ // Eerst: hmac controleren
var sql = "SELECT prs_bedrijfadres_locksecret,"
+ " prs_bedrijfadres_lockuser_key,"
+ " prs_bedrijfadres_lockexpire"
+ " FROM prs_bedrijfadres"
+ " WHERE prs_bedrijfadres_key = " + locked_bdradr_key
+ " AND prs_bedrijfadres_locksecret IS NOT NULL"
+ " AND prs_bedrijfadres_lockuser_key IS NOT NULL";
var oRs = Oracle.Execute(sql);
var locksecret = oRs("prs_bedrijfadres_locksecret").Value;
var lockuser_key = oRs("prs_bedrijfadres_lockuser_key").Value;
var lockexpire = oRs("prs_bedrijfadres_lockexpire").Value;
oRs.Close()
__Log("Checking locked bdradr {0} expire {1} days".format(locked_bdradr_key, lockexpire));
protectQS.verify({ sleutel: locksecret,
expire: lockexpire * 24 * 60,
checkpath: "/", // altijd tegen de root zonder default.asp
no_user_key: true }); // tamper check
var user_allowed = Session("locked_user_allowed") || []; // Array voor als je meerdere tabjes open hebt
var found = false;
for (var i = 0; i < user_allowed.length; i++)
{
if (user_allowed[i].locked_user_key == locked_user_key &&
if (user_allowed[i].locked_user_key == lockuser_key &&
user_allowed[i].xmlnode == u &&
user_allowed[i].key == keyparam)
{
@@ -66,7 +86,7 @@ __Log("== Entering shorturl.asp ==");
}
if (!found)
{
user_allowed.push({ locked_user_key: locked_user_key,
user_allowed.push({ locked_user_key: lockuser_key,
xmlnode: u,
key: keyparam
})
@@ -88,13 +108,15 @@ __Log("== Entering shorturl.asp ==");
checkUserAgent(); // devicebits waren anders mogelijk nog niet gezet
if (device.test(device.isDesktop) || device.test(device.isTouch))
{
url = known_bookmarks[u].gui;
url = locked_bdradr_key > 0? known_bookmarks[u].lckgui : known_bookmarks[u].gui;
}
else
{
url = known_bookmarks[u].mob || known_bookmarks[u].gui;
url = locked_bdradr_key > 0? known_bookmarks[u].lckmob || known_bookmarks[u].lckgui
: known_bookmarks[u].mob || known_bookmarks[u].gui;
isMobile = true;
}
url = url + keyparam;
if (keyparam > -1)
@@ -183,7 +205,7 @@ __Log("== Entering shorturl.asp ==");
else
var theURL = protectQS.create(url);
if (locked_user_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0)
if (locked_bdradr_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0)
{
Session("FirstPage") = theURL;
theURL = rooturl + "/";

6
APPL/PDA/notitie.asp
View File

@@ -10,7 +10,9 @@
Context: Vanuit mobile device short url
Note:
*/
%>
var pnode = getQParam("node");
var pkey = getQParamInt("key");
var LOCKED_USER_OK = { "xmlnode": pnode, "key": pkey };%>
<!-- #include file="../Shared/common.inc" -->
<!-- #include file="../mld/mld.inc" -->
@@ -23,8 +25,6 @@
FCLTHeader.Requires({ js: ["./modernizr-3.3.0.custom.min.js"] });
var qrc = getQParamInt("qrc", 0) != 0;
var pnode = getQParam("node");
var pkey = getQParamInt("key");
var tracking = getQParamInt("tracking", 0) == 1; // tracking erbij tonen?
var pnote = { note_key: getQParamInt("notekey", -1),
subject: ""

15
APPL/PRS/prs_edit_bedrijfadres.asp
View File

@@ -17,6 +17,7 @@
<!-- #include file="../Shared/selector.inc" -->
<!-- #include file="../api2/api2.inc" -->
<!-- #include file="../Shared/plaatsselector.inc" -->
<!-- #include file="../Shared/persoonselector.inc" -->
<%
FCLTHeader.Requires({plugins:["jQuery"], js: []})
@@ -54,6 +55,9 @@ else
+ " , a.prs_bedrijfadres_certificate"
+ " , a.prs_bedrijfadres_xsl"
+ " , a.prs_bedrijfadres_ext"
+ " , a.prs_bedrijfadres_lockuser_key"
+ " , a.prs_bedrijfadres_locksecret"
+ " , a.prs_bedrijfadres_lockexpire"
+ " , a.prs_bedrijfadres_attachfile"
+ " , a.prs_bedrijfadres_flexfiles"
+ " , a.prs_bedrijfadres_encoding"
@@ -81,6 +85,9 @@ else
var prs_cert = oRs("prs_bedrijfadres_certificate").value;
var prs_xsl = oRs("prs_bedrijfadres_xsl").value;
var prs_ext = oRs("prs_bedrijfadres_ext").value;
var lockuser_key = oRs('prs_bedrijfadres_lockuser_key').value;
var locksecret = oRs('prs_bedrijfadres_locksecret').value;
var lockexpire = oRs('prs_bedrijfadres_lockexpire').value;
var bijlage = oRs('prs_bedrijfadres_attachfile').value;
var flexfiles = oRs('prs_bedrijfadres_flexfiles').value;
var encoding = oRs("prs_bedrijfadres_encoding").value;
@@ -264,6 +271,14 @@ else
initKey: encoding||0
}
);
FCLTpersoonselector("lockuser_key",
"sgPerson",
{ perslidKey: lockuser_key,
label: L("lcl_prs_bedrijfadres_lockuser")
});
RWFIELDTR("locksecret", "fld", L("lcl_prs_bedrijfadres_locksecret"), locksecret);
RWFIELDTR("lockexpire", "fld", L("lcl_prs_bedrijfadres_lockexpire"), lockexpire, {datatype: "number" });
%>
<tr valign="top">
<td class="label ">

37
APPL/PRS/prs_edit_bedrijfadres_save.asp
View File

@@ -53,23 +53,26 @@ else
var protocol = getFParam("protocol");
var url = getFParam("prs_url");
var fields = [ { dbs: "prs_bedrijfadres_type", typ: "varchar", frm: "prs_type" }
, { dbs: "mld_typeopdr_key", typ: "key", val: typeopdr }
, { dbs: "alg_district_key", typ: "key", frm: "districtkey" }
, { dbs: "alg_locatie_key", typ: "key", frm: "locatiekey" }
, { dbs: "prs_bedrijfadres_url", typ: "varchar", val: protocol + url}
, { dbs: "prs_bedrijfadres_username", typ: "varchar", frm: "prs_username" }
, { dbs: "prs_bedrijfadres_password", typ: "varchar", frm: "prs_password" }
, { dbs: "prs_bedrijfadres_authmethod", typ: "number", frm: "authmethod" }
, { dbs: "prs_bedrijfadres_ordermode", typ: "number", frm: "prs_ordermode" }
, { dbs: "prs_bedrijfadres_soapversion", typ: "varchar", frm: "soapversion" }
, { dbs: "prs_bedrijfadres_soapaction", typ: "varchar", frm: "soapaction" }
, { dbs: "prs_bedrijfadres_certificate", typ: "varchar", frm: "prs_cert" }
, { dbs: "prs_bedrijfadres_xsl", typ: "varchar", frm: "prs_xsl" }
, { dbs: "prs_bedrijfadres_ext", typ: "varchar", frm: "prs_ext" }
, { dbs: "prs_bedrijfadres_attachfile", typ: "varchar", frm: "bijlage" }
, { dbs: "prs_bedrijfadres_flexfiles" , typ: "number", frm: "flexfiles" }
, { dbs: "prs_bedrijfadres_encoding", typ: "number", frm: "encoding" }
var fields = [ { dbs: "prs_bedrijfadres_type", typ: "varchar", frm: "prs_type" }
, { dbs: "mld_typeopdr_key", typ: "key", val: typeopdr }
, { dbs: "alg_district_key", typ: "key", frm: "districtkey" }
, { dbs: "alg_locatie_key", typ: "key", frm: "locatiekey" }
, { dbs: "prs_bedrijfadres_url", typ: "varchar", val: protocol + url}
, { dbs: "prs_bedrijfadres_username", typ: "varchar", frm: "prs_username" }
, { dbs: "prs_bedrijfadres_password", typ: "varchar", frm: "prs_password" }
, { dbs: "prs_bedrijfadres_authmethod", typ: "number", frm: "authmethod" }
, { dbs: "prs_bedrijfadres_ordermode", typ: "number", frm: "prs_ordermode" }
, { dbs: "prs_bedrijfadres_soapversion", typ: "varchar", frm: "soapversion" }
, { dbs: "prs_bedrijfadres_soapaction", typ: "varchar", frm: "soapaction" }
, { dbs: "prs_bedrijfadres_certificate", typ: "varchar", frm: "prs_cert" }
, { dbs: "prs_bedrijfadres_xsl", typ: "varchar", frm: "prs_xsl" }
, { dbs: "prs_bedrijfadres_ext", typ: "varchar", frm: "prs_ext" }
, { dbs: "prs_bedrijfadres_lockuser_key", typ: "key", frm: "lockuser_key" }
, { dbs: "prs_bedrijfadres_locksecret", typ: "varchar", frm: "locksecret" }
, { dbs: "prs_bedrijfadres_lockexpire" , typ: "number", frm: "lockexpire" }
, { dbs: "prs_bedrijfadres_attachfile", typ: "varchar", frm: "bijlage" }
, { dbs: "prs_bedrijfadres_flexfiles" , typ: "number", frm: "flexfiles" }
, { dbs: "prs_bedrijfadres_encoding", typ: "number", frm: "encoding" }
];
var isDeleted = false;

11
APPL/PRS/prs_show_bedrijfadres.asp
View File

@@ -52,6 +52,9 @@ FCLTHeader.Requires({plugins:["jQuery"]})
+ " , a.prs_bedrijfadres_certificate"
+ " , a.prs_bedrijfadres_xsl"
+ " , a.prs_bedrijfadres_ext"
+ " , p.prs_perslid_naam_friendly"
+ " , a.prs_bedrijfadres_locksecret"
+ " , a.prs_bedrijfadres_lockexpire"
+ " , a.prs_bedrijfadres_attachfile"
+ " , a.prs_bedrijfadres_flexfiles"
+ " FROM prs_bedrijfadres a"
@@ -59,7 +62,9 @@ FCLTHeader.Requires({plugins:["jQuery"]})
+ " , mld_typeopdr t"
+ " , alg_locatie l"
+ " , alg_district d"
+ " , prs_v_perslid_fullnames p"
+ " WHERE b.prs_bedrijf_key = a.prs_bedrijf_key"
+ " AND a.prs_bedrijfadres_lockuser_key = p.prs_perslid_key(+)"
+ " AND a.mld_typeopdr_key = t.mld_typeopdr_key(+)"
+ " AND a.alg_locatie_key = l.alg_locatie_key(+)"
+ " AND a.alg_district_key = d.alg_district_key(+)"
@@ -85,6 +90,9 @@ FCLTHeader.Requires({plugins:["jQuery"]})
var prs_cert = oRs("prs_bedrijfadres_certificate").value;
var prs_xsl = oRs("prs_bedrijfadres_xsl").value;
var prs_ext = oRs("prs_bedrijfadres_ext").value;
var lockuser = oRs('prs_perslid_naam_friendly').value;
var locksecret = oRs('prs_bedrijfadres_locksecret').value;
var lockexpire = oRs('prs_bedrijfadres_lockexpire').value;
var bijlage = oRs('prs_bedrijfadres_attachfile').value;
var flexfiles = oRs('prs_bedrijfadres_flexfiles').value;
@@ -149,6 +157,9 @@ FCLTHeader.Requires({plugins:["jQuery"]})
ROFIELDTR("fld", L("lcl_prs_companies_order_certificate"), prs_cert, {suppressEmpty:true});
ROFIELDTR("fld", L("lcl_prs_companies_xsl"), prs_xsl, {suppressEmpty:true});
ROFIELDTR("fld", L("lcl_prs_bedrijfadres_ext"), prs_ext, {suppressEmpty:true});
ROFIELDTR("fld", L("lcl_prs_bedrijfadres_lockuser"), lockuser, {suppressEmpty:true});
ROFIELDTR("fld", L("lcl_prs_bedrijfadres_secret"), locksecret, {suppressEmpty:true, secret: true});
ROFIELDTR("fld", L("lcl_prs_bedrijfadres_expire"), lockexpire, {suppressEmpty:true});
ROFIELDTR("fld", L("lcl_prs_bedrijfadres_bijlage"), bijlage, {suppressEmpty:true});
ROCHECKBOXTR("fldcheck", L("lcl_puo_order_flexfiles"), flexfiles==0 && S("puo_order_flexfiles")==1 || flexfiles==1);
BLOCK_END();

2
APPL/Shared/Shared.inc
View File

@@ -1312,7 +1312,7 @@ var protectQS =
var file = padsplitter[padsplitter.length-1]; // laatste component
// Let op dat create dezelfde data hasht
var data = user_key + ":" + file.toUpperCase() + "?" +qs;
var data = (params.no_user_key?"":(user_key + ":")) + file.toUpperCase() + "?" +qs;
//__Log("testing hmacdata: " + data);
//__Log("testing sleutel: "+ params.sleutel);
if (params.allow_anonymous)

27
APPL/Shared/xml_converter.inc
View File

@@ -49,20 +49,27 @@ function STR2Stream(xmlstr, xslfile, Stream, params)
xslproc.transform();
p_bodyhtml = xslproc.output;
// eerst hmac(urlstring, prs_key) vervangen
// hmac(/?u=melding&k=1234&luk=33083,33083) wordt iets van
// /?u=melding&k=1234&luk=33083&hmac=1234567890:ahebher9e8234r34
// protectQS.create(string, { sleutel: "abcde", // van 33083, niet de huidige persoon!
// no_user_key: true }
var hmacs = p_bodyhtml.match(/(hmac\([^\)]*\))/g); // heeft nu array van hmac(/?u=melding&k=1234&luk=33083,33083)
// eerst lockeduser(xmlnode,key,bdradr_key) vervangen
// lockeduser(opdracht,12345,910) met 12345 opdracht_key en 910 bedrijfadres_key
var hmacs = p_bodyhtml.match(/(lockeduser\([^\)]*\))/g); // heeft nu array van lockeduser(opdracht,12345,910)
for (var i =0; hmacs && i < hmacs.length; i++)
{
var params = hmacs[i].match(/\(([^,]+)\,(\d+)\)/);
if (params.length == 3)
var params = hmacs[i].match(/\(([^,]+)\,(\d+),(\d+)\)/);
if (params.length == 4)
{
var url = params[1];
var xmlnode = params[1]; // We ondersteunen alleen nog maar 'opdracht'
var key = params[2];
var newurl = protectQS.create(url, { sleutel: "abcd", no_user_key: true });
var bdradr_key = params[3];
var sql = "SELECT prs_bedrijfadres_locksecret"
+ " FROM prs_bedrijfadres"
+ " WHERE prs_bedrijfadres_key = " + bdradr_key
+ " AND prs_bedrijfadres_locksecret IS NOT NULL"
+ " AND prs_bedrijfadres_lockuser_key IS NOT NULL";
var oRs = Oracle.Execute(sql);
var locksecret = oRs("prs_bedrijfadres_locksecret").Value;
oRs.Close()
var url = "?u={0}&k={1}&lbdr={2}".format(xmlnode, key, bdradr_key);
var newurl = protectQS.create(url, { sleutel: locksecret, no_user_key: true });
p_bodyhtml = p_bodyhtml.replace(hmacs[i], newurl);
}
}

9
UTILS/PutOrders/puo_allorders.js
View File

@@ -115,7 +115,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender,
+ " ba.prs_bedrijfadres_password,"
+ " ba.prs_bedrijfadres_authmethod,"
+ " ba.prs_bedrijfadres_soapversion,"
+ " ba.prs_bedrijfadres_soapaction"
+ " ba.prs_bedrijfadres_soapaction,"
+ " ba.prs_bedrijfadres_locksecret"
+ " FROM prs_bedrijfadres ba "
+ " WHERE ba.prs_bedrijf_key = " + Bedrijf_key
+ " AND ((ba.alg_locatie_key = " + prs_loc_key + ") OR (ba.alg_locatie_key IS NULL))"
@@ -174,7 +175,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender,
}
else
{
var bedrijfadres = { url: oRsB("prs_bedrijfadres_url").value,
var bedrijfadres = { key: Bedrijf_key,
url: oRsB("prs_bedrijfadres_url").value,
encoding: oRsB("prs_bedrijfadres_encoding").value,
ordermode: oRsB("prs_bedrijfadres_ordermode").value,
typeopdr_key: oRsB("mld_typeopdr_key").value,
@@ -187,7 +189,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender,
password: oRsB("prs_bedrijfadres_password").value,
authmethod: oRsB("prs_bedrijfadres_authmethod").value || 0,
soapversion: oRsB("prs_bedrijfadres_soapversion").value,
soapaction: oRsB("prs_bedrijfadres_soapaction").value
soapaction: oRsB("prs_bedrijfadres_soapaction").value,
locksecret: oRsB("prs_bedrijfadres_locksecret").value
};
oRsB.Close();

2
UTILS/PutOrders/puo_sendfile.js
View File

@@ -259,6 +259,7 @@ function connectMail( p_connect
, p_xslPath
, ""
, "email"
, p_bedrijfadres
);
params.attachFileName = p_filename; //JGL Volgens mij don't care parameter
mailResult = sendMail( p_sender
@@ -385,6 +386,7 @@ function SendOrder( p_connect
, p_xslPath
, p_code
, ""
, p_bedrijfadres
)
var XMLResult = new ActiveXObject("Msxml2.DOMDocument.6.0");

50
UTILS/PutOrders/puo_xmltools.js
View File

@@ -66,6 +66,7 @@ function XML2HTML( body
, xslPath
, srtnotificatie
, mode
, p_bedrijfadres
)
{
// Transform body=xml according to xslPath=xslfilenaam with optionel srtnotification parameter (e.g. RESBEV)
@@ -88,6 +89,55 @@ function XML2HTML( body
xslProc.transform();
result = xslProc.output;
// eerst lockeduser(xmlnode,key,bdradr_key) vervangen
// lockeduser(opdracht,12345,910) met 12345 opdracht_key en 910 bedrijfadres_key
var hmacs = result.match(/(lockeduser\([^\)]*\))/g); // heeft nu array van lockeduser(opdracht,12345,910)
for (var i =0; hmacs && i < hmacs.length; i++)
{
var params = hmacs[i].match(/\(([^,]+)\,(\d+),(\d+)\)/);
if (params.length == 4)
{
var xmlnode = params[1]; // We ondersteunen alleen nog maar 'opdracht'
var key = params[2];
var bdradr_key = params[3];
var sql = "SELECT prs_bedrijfadres_locksecret"
+ " FROM prs_bedrijfadres"
+ " WHERE prs_bedrijfadres_key = " + bdradr_key
+ " AND prs_bedrijfadres_locksecret IS NOT NULL"
+ " AND prs_bedrijfadres_lockuser_key IS NOT NULL";
var oRs = Oracle.Execute(sql);
var locksecret = oRs("prs_bedrijfadres_locksecret").Value;
oRs.Close();
var url = "?u={0}&k={1}&lbdr={2}".format(xmlnode, key, bdradr_key);
// create hmac
var splitter = url.split("?");
var pad = splitter[0];
var qs = splitter.length>1?splitter[1]:"x=x";
var padsplitter = pad.split("/");
var file = padsplitter[padsplitter.length-1]; // laatste component
// Let op dat protectQS.wsc hetzelfde doet voor Facmgt
var str = file.toUpperCase() + "?" + qs;
//var hmacced = protectHMAC.create(data, params);
var ts = String(Math.round((new Date).getTime() / 1000));
var data = ts + ":" + str
Log2File(2, "hmacdata: " + data);
//__Log("sleutel: "+ params.sleutel);
var oCrypto = new ActiveXObject("SLNKDWF.Crypto");
var sig = oCrypto.hex_hmac_sha1(locksecret, data);
var hmac = oCrypto.hex2base64(sig, false, true); // no padding, urlsafe
oCrypto = null; // Caching klinkt leuk maar Oracle sessies blijven langer hangen?
hmacced = ts+":"+hmac;
newurl = pad + "?" + qs + "&hmac="+encodeURIComponent(hmacced);
//var newurl = protectQS.create(url, { sleutel: locksecret, no_user_key: true });
result = result.replace(hmacs[i], newurl);
}
}
return result;
}