From f6584c20796d3e68dd164bdb82837a391c489f41 Mon Sep 17 00:00:00 2001 From: Jos Groot Lipman Date: Wed, 10 May 2017 15:16:36 +0000 Subject: [PATCH] AAIT#39909 'anonieme' autorisatie vanuit een link in de bon of e-mail svn path=/Website/trunk/; revision=33787 --- APPL/ALG/alg.inc | 24 ++++++------ APPL/API/shorturl.asp | 44 ++++++++++++++++------ APPL/PDA/notitie.asp | 6 +-- APPL/PRS/prs_edit_bedrijfadres.asp | 15 ++++++++ APPL/PRS/prs_edit_bedrijfadres_save.asp | 37 +++++++++--------- APPL/PRS/prs_show_bedrijfadres.asp | 11 ++++++ APPL/Shared/Shared.inc | 2 +- APPL/Shared/xml_converter.inc | 27 ++++++++----- UTILS/PutOrders/puo_allorders.js | 9 +++-- UTILS/PutOrders/puo_sendfile.js | 2 + UTILS/PutOrders/puo_xmltools.js | 50 +++++++++++++++++++++++++ 11 files changed, 170 insertions(+), 57 deletions(-) diff --git a/APPL/ALG/alg.inc b/APPL/ALG/alg.inc index 4fad985197..912da7af66 100644 --- a/APPL/ALG/alg.inc +++ b/APPL/ALG/alg.inc @@ -389,33 +389,33 @@ alg = { return aresult; }, - + calc_algm2: function _calc_algm2(alg_key, lvl) - { + { var sql = "SELECT SUM (alg_ruimte_bruto_vloeropp) opp1, " + " SUM (alg_ruimte_opp_alt1) opp2, " + " SUM (alg_ruimte_opp_alt2) opp3 " + " FROM alg_ruimte r, alg_verdieping v " + " WHERE v.alg_verdieping_key = r.alg_verdieping_key " + " AND r.alg_ruimte_verwijder IS NULL"; - + if (lvl == "G") { sql += " AND alg_gebouw_key = " + alg_key; } - - if (lvl == "V") - { + + if (lvl == "V") + { sql += " AND r.alg_verdieping_key = " + alg_key; } - + var oRs = Oracle.Execute(sql); - - var algm2 = { oppbruto: oRs("opp1").Value, oppalt1: oRs("opp2").Value, oppalt2: oRs("opp3").Value } + + var algm2 = { oppbruto: oRs("opp1").Value, oppalt1: oRs("opp2").Value, oppalt2: oRs("opp3").Value } oRs.Close(); - - return algm2; + + return algm2; } - } + } %> \ No newline at end of file diff --git a/APPL/API/shorturl.asp b/APPL/API/shorturl.asp index 8e7a9d470e..08bec24d3a 100644 --- a/APPL/API/shorturl.asp +++ b/APPL/API/shorturl.asp @@ -38,7 +38,10 @@ __Log("== Entering shorturl.asp =="); 'locatie': { gui: 'appl/alg/alg_locatie.asp?key=' }, 'melding': { gui: 'appl/mld/mld_melding.asp?mld_key=', mob: 'appl/pda/melding.asp?mld_key=' }, 'message': { gui: 'appl/msg/msg_message.asp?message_key=' }, - 'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=', mob: 'appl/pda/order.asp?opdr_key=' }, + 'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=', + mob: 'appl/pda/order.asp?opdr_key=', + lckgui: 'appl/mld/mld_opdr_actions.asp?opdr_key=', + lckmob: 'appl/mld/mld_opdr_actions.asp?opdr_key=' }, 'perslid': { gui: 'appl/prs/prs_perslid.asp?prs_key=', mob: 'appl/pda/user_info.asp?prs_key=' }, 'reservering': { gui: 'appl/res/res_reservering.asp?rsv_ruimte_key=', mob: 'appl/pda/reservering.asp?rsv_ruimte_key=' }, 'ruimte': { gui: 'appl/alg/alg_ruimte.asp?key=', mob: 'appl/pda/ruimte.asp?ruimte_key=' }, @@ -47,16 +50,33 @@ __Log("== Entering shorturl.asp =="); } var keyparam = getQParamInt("k", -1); - var locked_user_key = getQParamInt("luk", -1); - // TODO: beschermen met hmac - // Daarom nog niet geactiveerd - if (locked_user_key > 0) - { + + var locked_bdradr_key = getQParamInt("lbdr", -1); + if (locked_bdradr_key > 0) + { // Eerst: hmac controleren + var sql = "SELECT prs_bedrijfadres_locksecret," + + " prs_bedrijfadres_lockuser_key," + + " prs_bedrijfadres_lockexpire" + + " FROM prs_bedrijfadres" + + " WHERE prs_bedrijfadres_key = " + locked_bdradr_key + + " AND prs_bedrijfadres_locksecret IS NOT NULL" + + " AND prs_bedrijfadres_lockuser_key IS NOT NULL"; + var oRs = Oracle.Execute(sql); + var locksecret = oRs("prs_bedrijfadres_locksecret").Value; + var lockuser_key = oRs("prs_bedrijfadres_lockuser_key").Value; + var lockexpire = oRs("prs_bedrijfadres_lockexpire").Value; + oRs.Close() + __Log("Checking locked bdradr {0} expire {1} days".format(locked_bdradr_key, lockexpire)); + protectQS.verify({ sleutel: locksecret, + expire: lockexpire * 24 * 60, + checkpath: "/", // altijd tegen de root zonder default.asp + no_user_key: true }); // tamper check + var user_allowed = Session("locked_user_allowed") || []; // Array voor als je meerdere tabjes open hebt var found = false; for (var i = 0; i < user_allowed.length; i++) { - if (user_allowed[i].locked_user_key == locked_user_key && + if (user_allowed[i].locked_user_key == lockuser_key && user_allowed[i].xmlnode == u && user_allowed[i].key == keyparam) { @@ -66,7 +86,7 @@ __Log("== Entering shorturl.asp =="); } if (!found) { - user_allowed.push({ locked_user_key: locked_user_key, + user_allowed.push({ locked_user_key: lockuser_key, xmlnode: u, key: keyparam }) @@ -88,13 +108,15 @@ __Log("== Entering shorturl.asp =="); checkUserAgent(); // devicebits waren anders mogelijk nog niet gezet if (device.test(device.isDesktop) || device.test(device.isTouch)) { - url = known_bookmarks[u].gui; + url = locked_bdradr_key > 0? known_bookmarks[u].lckgui : known_bookmarks[u].gui; } else { - url = known_bookmarks[u].mob || known_bookmarks[u].gui; + url = locked_bdradr_key > 0? known_bookmarks[u].lckmob || known_bookmarks[u].lckgui + : known_bookmarks[u].mob || known_bookmarks[u].gui; isMobile = true; } + url = url + keyparam; if (keyparam > -1) @@ -183,7 +205,7 @@ __Log("== Entering shorturl.asp =="); else var theURL = protectQS.create(url); - if (locked_user_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0) + if (locked_bdradr_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0) { Session("FirstPage") = theURL; theURL = rooturl + "/"; diff --git a/APPL/PDA/notitie.asp b/APPL/PDA/notitie.asp index 7aed5dca7f..acd77045d3 100644 --- a/APPL/PDA/notitie.asp +++ b/APPL/PDA/notitie.asp @@ -10,7 +10,9 @@ Context: Vanuit mobile device short url Note: */ -%> +var pnode = getQParam("node"); +var pkey = getQParamInt("key"); +var LOCKED_USER_OK = { "xmlnode": pnode, "key": pkey };%> @@ -23,8 +25,6 @@ FCLTHeader.Requires({ js: ["./modernizr-3.3.0.custom.min.js"] }); var qrc = getQParamInt("qrc", 0) != 0; -var pnode = getQParam("node"); -var pkey = getQParamInt("key"); var tracking = getQParamInt("tracking", 0) == 1; // tracking erbij tonen? var pnote = { note_key: getQParamInt("notekey", -1), subject: "" diff --git a/APPL/PRS/prs_edit_bedrijfadres.asp b/APPL/PRS/prs_edit_bedrijfadres.asp index 44f3df442d..d0ccbf3075 100644 --- a/APPL/PRS/prs_edit_bedrijfadres.asp +++ b/APPL/PRS/prs_edit_bedrijfadres.asp @@ -17,6 +17,7 @@ + <% FCLTHeader.Requires({plugins:["jQuery"], js: []}) @@ -54,6 +55,9 @@ else + " , a.prs_bedrijfadres_certificate" + " , a.prs_bedrijfadres_xsl" + " , a.prs_bedrijfadres_ext" + + " , a.prs_bedrijfadres_lockuser_key" + + " , a.prs_bedrijfadres_locksecret" + + " , a.prs_bedrijfadres_lockexpire" + " , a.prs_bedrijfadres_attachfile" + " , a.prs_bedrijfadres_flexfiles" + " , a.prs_bedrijfadres_encoding" @@ -81,6 +85,9 @@ else var prs_cert = oRs("prs_bedrijfadres_certificate").value; var prs_xsl = oRs("prs_bedrijfadres_xsl").value; var prs_ext = oRs("prs_bedrijfadres_ext").value; + var lockuser_key = oRs('prs_bedrijfadres_lockuser_key').value; + var locksecret = oRs('prs_bedrijfadres_locksecret').value; + var lockexpire = oRs('prs_bedrijfadres_lockexpire').value; var bijlage = oRs('prs_bedrijfadres_attachfile').value; var flexfiles = oRs('prs_bedrijfadres_flexfiles').value; var encoding = oRs("prs_bedrijfadres_encoding").value; @@ -264,6 +271,14 @@ else initKey: encoding||0 } ); + + FCLTpersoonselector("lockuser_key", + "sgPerson", + { perslidKey: lockuser_key, + label: L("lcl_prs_bedrijfadres_lockuser") + }); + RWFIELDTR("locksecret", "fld", L("lcl_prs_bedrijfadres_locksecret"), locksecret); + RWFIELDTR("lockexpire", "fld", L("lcl_prs_bedrijfadres_lockexpire"), lockexpire, {datatype: "number" }); %> diff --git a/APPL/PRS/prs_edit_bedrijfadres_save.asp b/APPL/PRS/prs_edit_bedrijfadres_save.asp index 6881333ae4..a9df7ceb97 100644 --- a/APPL/PRS/prs_edit_bedrijfadres_save.asp +++ b/APPL/PRS/prs_edit_bedrijfadres_save.asp @@ -53,23 +53,26 @@ else var protocol = getFParam("protocol"); var url = getFParam("prs_url"); - var fields = [ { dbs: "prs_bedrijfadres_type", typ: "varchar", frm: "prs_type" } - , { dbs: "mld_typeopdr_key", typ: "key", val: typeopdr } - , { dbs: "alg_district_key", typ: "key", frm: "districtkey" } - , { dbs: "alg_locatie_key", typ: "key", frm: "locatiekey" } - , { dbs: "prs_bedrijfadres_url", typ: "varchar", val: protocol + url} - , { dbs: "prs_bedrijfadres_username", typ: "varchar", frm: "prs_username" } - , { dbs: "prs_bedrijfadres_password", typ: "varchar", frm: "prs_password" } - , { dbs: "prs_bedrijfadres_authmethod", typ: "number", frm: "authmethod" } - , { dbs: "prs_bedrijfadres_ordermode", typ: "number", frm: "prs_ordermode" } - , { dbs: "prs_bedrijfadres_soapversion", typ: "varchar", frm: "soapversion" } - , { dbs: "prs_bedrijfadres_soapaction", typ: "varchar", frm: "soapaction" } - , { dbs: "prs_bedrijfadres_certificate", typ: "varchar", frm: "prs_cert" } - , { dbs: "prs_bedrijfadres_xsl", typ: "varchar", frm: "prs_xsl" } - , { dbs: "prs_bedrijfadres_ext", typ: "varchar", frm: "prs_ext" } - , { dbs: "prs_bedrijfadres_attachfile", typ: "varchar", frm: "bijlage" } - , { dbs: "prs_bedrijfadres_flexfiles" , typ: "number", frm: "flexfiles" } - , { dbs: "prs_bedrijfadres_encoding", typ: "number", frm: "encoding" } + var fields = [ { dbs: "prs_bedrijfadres_type", typ: "varchar", frm: "prs_type" } + , { dbs: "mld_typeopdr_key", typ: "key", val: typeopdr } + , { dbs: "alg_district_key", typ: "key", frm: "districtkey" } + , { dbs: "alg_locatie_key", typ: "key", frm: "locatiekey" } + , { dbs: "prs_bedrijfadres_url", typ: "varchar", val: protocol + url} + , { dbs: "prs_bedrijfadres_username", typ: "varchar", frm: "prs_username" } + , { dbs: "prs_bedrijfadres_password", typ: "varchar", frm: "prs_password" } + , { dbs: "prs_bedrijfadres_authmethod", typ: "number", frm: "authmethod" } + , { dbs: "prs_bedrijfadres_ordermode", typ: "number", frm: "prs_ordermode" } + , { dbs: "prs_bedrijfadres_soapversion", typ: "varchar", frm: "soapversion" } + , { dbs: "prs_bedrijfadres_soapaction", typ: "varchar", frm: "soapaction" } + , { dbs: "prs_bedrijfadres_certificate", typ: "varchar", frm: "prs_cert" } + , { dbs: "prs_bedrijfadres_xsl", typ: "varchar", frm: "prs_xsl" } + , { dbs: "prs_bedrijfadres_ext", typ: "varchar", frm: "prs_ext" } + , { dbs: "prs_bedrijfadres_lockuser_key", typ: "key", frm: "lockuser_key" } + , { dbs: "prs_bedrijfadres_locksecret", typ: "varchar", frm: "locksecret" } + , { dbs: "prs_bedrijfadres_lockexpire" , typ: "number", frm: "lockexpire" } + , { dbs: "prs_bedrijfadres_attachfile", typ: "varchar", frm: "bijlage" } + , { dbs: "prs_bedrijfadres_flexfiles" , typ: "number", frm: "flexfiles" } + , { dbs: "prs_bedrijfadres_encoding", typ: "number", frm: "encoding" } ]; var isDeleted = false; diff --git a/APPL/PRS/prs_show_bedrijfadres.asp b/APPL/PRS/prs_show_bedrijfadres.asp index f4dcc191ee..a729d7b2fa 100644 --- a/APPL/PRS/prs_show_bedrijfadres.asp +++ b/APPL/PRS/prs_show_bedrijfadres.asp @@ -52,6 +52,9 @@ FCLTHeader.Requires({plugins:["jQuery"]}) + " , a.prs_bedrijfadres_certificate" + " , a.prs_bedrijfadres_xsl" + " , a.prs_bedrijfadres_ext" + + " , p.prs_perslid_naam_friendly" + + " , a.prs_bedrijfadres_locksecret" + + " , a.prs_bedrijfadres_lockexpire" + " , a.prs_bedrijfadres_attachfile" + " , a.prs_bedrijfadres_flexfiles" + " FROM prs_bedrijfadres a" @@ -59,7 +62,9 @@ FCLTHeader.Requires({plugins:["jQuery"]}) + " , mld_typeopdr t" + " , alg_locatie l" + " , alg_district d" + + " , prs_v_perslid_fullnames p" + " WHERE b.prs_bedrijf_key = a.prs_bedrijf_key" + + " AND a.prs_bedrijfadres_lockuser_key = p.prs_perslid_key(+)" + " AND a.mld_typeopdr_key = t.mld_typeopdr_key(+)" + " AND a.alg_locatie_key = l.alg_locatie_key(+)" + " AND a.alg_district_key = d.alg_district_key(+)" @@ -85,6 +90,9 @@ FCLTHeader.Requires({plugins:["jQuery"]}) var prs_cert = oRs("prs_bedrijfadres_certificate").value; var prs_xsl = oRs("prs_bedrijfadres_xsl").value; var prs_ext = oRs("prs_bedrijfadres_ext").value; + var lockuser = oRs('prs_perslid_naam_friendly').value; + var locksecret = oRs('prs_bedrijfadres_locksecret').value; + var lockexpire = oRs('prs_bedrijfadres_lockexpire').value; var bijlage = oRs('prs_bedrijfadres_attachfile').value; var flexfiles = oRs('prs_bedrijfadres_flexfiles').value; @@ -149,6 +157,9 @@ FCLTHeader.Requires({plugins:["jQuery"]}) ROFIELDTR("fld", L("lcl_prs_companies_order_certificate"), prs_cert, {suppressEmpty:true}); ROFIELDTR("fld", L("lcl_prs_companies_xsl"), prs_xsl, {suppressEmpty:true}); ROFIELDTR("fld", L("lcl_prs_bedrijfadres_ext"), prs_ext, {suppressEmpty:true}); + ROFIELDTR("fld", L("lcl_prs_bedrijfadres_lockuser"), lockuser, {suppressEmpty:true}); + ROFIELDTR("fld", L("lcl_prs_bedrijfadres_secret"), locksecret, {suppressEmpty:true, secret: true}); + ROFIELDTR("fld", L("lcl_prs_bedrijfadres_expire"), lockexpire, {suppressEmpty:true}); ROFIELDTR("fld", L("lcl_prs_bedrijfadres_bijlage"), bijlage, {suppressEmpty:true}); ROCHECKBOXTR("fldcheck", L("lcl_puo_order_flexfiles"), flexfiles==0 && S("puo_order_flexfiles")==1 || flexfiles==1); BLOCK_END(); diff --git a/APPL/Shared/Shared.inc b/APPL/Shared/Shared.inc index 684bacfc0b..ec54840bc0 100644 --- a/APPL/Shared/Shared.inc +++ b/APPL/Shared/Shared.inc @@ -1312,7 +1312,7 @@ var protectQS = var file = padsplitter[padsplitter.length-1]; // laatste component // Let op dat create dezelfde data hasht - var data = user_key + ":" + file.toUpperCase() + "?" +qs; + var data = (params.no_user_key?"":(user_key + ":")) + file.toUpperCase() + "?" +qs; //__Log("testing hmacdata: " + data); //__Log("testing sleutel: "+ params.sleutel); if (params.allow_anonymous) diff --git a/APPL/Shared/xml_converter.inc b/APPL/Shared/xml_converter.inc index 738b882e06..29725de591 100644 --- a/APPL/Shared/xml_converter.inc +++ b/APPL/Shared/xml_converter.inc @@ -49,20 +49,27 @@ function STR2Stream(xmlstr, xslfile, Stream, params) xslproc.transform(); p_bodyhtml = xslproc.output; - // eerst hmac(urlstring, prs_key) vervangen - // hmac(/?u=melding&k=1234&luk=33083,33083) wordt iets van - // /?u=melding&k=1234&luk=33083&hmac=1234567890:ahebher9e8234r34 - // protectQS.create(string, { sleutel: "abcde", // van 33083, niet de huidige persoon! - // no_user_key: true } - var hmacs = p_bodyhtml.match(/(hmac\([^\)]*\))/g); // heeft nu array van hmac(/?u=melding&k=1234&luk=33083,33083) + // eerst lockeduser(xmlnode,key,bdradr_key) vervangen + // lockeduser(opdracht,12345,910) met 12345 opdracht_key en 910 bedrijfadres_key + var hmacs = p_bodyhtml.match(/(lockeduser\([^\)]*\))/g); // heeft nu array van lockeduser(opdracht,12345,910) for (var i =0; hmacs && i < hmacs.length; i++) { - var params = hmacs[i].match(/\(([^,]+)\,(\d+)\)/); - if (params.length == 3) + var params = hmacs[i].match(/\(([^,]+)\,(\d+),(\d+)\)/); + if (params.length == 4) { - var url = params[1]; + var xmlnode = params[1]; // We ondersteunen alleen nog maar 'opdracht' var key = params[2]; - var newurl = protectQS.create(url, { sleutel: "abcd", no_user_key: true }); + var bdradr_key = params[3]; + var sql = "SELECT prs_bedrijfadres_locksecret" + + " FROM prs_bedrijfadres" + + " WHERE prs_bedrijfadres_key = " + bdradr_key + + " AND prs_bedrijfadres_locksecret IS NOT NULL" + + " AND prs_bedrijfadres_lockuser_key IS NOT NULL"; + var oRs = Oracle.Execute(sql); + var locksecret = oRs("prs_bedrijfadres_locksecret").Value; + oRs.Close() + var url = "?u={0}&k={1}&lbdr={2}".format(xmlnode, key, bdradr_key); + var newurl = protectQS.create(url, { sleutel: locksecret, no_user_key: true }); p_bodyhtml = p_bodyhtml.replace(hmacs[i], newurl); } } diff --git a/UTILS/PutOrders/puo_allorders.js b/UTILS/PutOrders/puo_allorders.js index 48ed1b616e..6d36df42ae 100644 --- a/UTILS/PutOrders/puo_allorders.js +++ b/UTILS/PutOrders/puo_allorders.js @@ -115,7 +115,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender, + " ba.prs_bedrijfadres_password," + " ba.prs_bedrijfadres_authmethod," + " ba.prs_bedrijfadres_soapversion," - + " ba.prs_bedrijfadres_soapaction" + + " ba.prs_bedrijfadres_soapaction," + + " ba.prs_bedrijfadres_locksecret" + " FROM prs_bedrijfadres ba " + " WHERE ba.prs_bedrijf_key = " + Bedrijf_key + " AND ((ba.alg_locatie_key = " + prs_loc_key + ") OR (ba.alg_locatie_key IS NULL))" @@ -174,7 +175,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender, } else { - var bedrijfadres = { url: oRsB("prs_bedrijfadres_url").value, + var bedrijfadres = { key: Bedrijf_key, + url: oRsB("prs_bedrijfadres_url").value, encoding: oRsB("prs_bedrijfadres_encoding").value, ordermode: oRsB("prs_bedrijfadres_ordermode").value, typeopdr_key: oRsB("mld_typeopdr_key").value, @@ -187,7 +189,8 @@ function send1Order(Bedrijf_key, prs_loc_key, XMLnode, OpdrKey, ordernr, Sender, password: oRsB("prs_bedrijfadres_password").value, authmethod: oRsB("prs_bedrijfadres_authmethod").value || 0, soapversion: oRsB("prs_bedrijfadres_soapversion").value, - soapaction: oRsB("prs_bedrijfadres_soapaction").value + soapaction: oRsB("prs_bedrijfadres_soapaction").value, + locksecret: oRsB("prs_bedrijfadres_locksecret").value }; oRsB.Close(); diff --git a/UTILS/PutOrders/puo_sendfile.js b/UTILS/PutOrders/puo_sendfile.js index 9190fdecd0..332abbe359 100644 --- a/UTILS/PutOrders/puo_sendfile.js +++ b/UTILS/PutOrders/puo_sendfile.js @@ -259,6 +259,7 @@ function connectMail( p_connect , p_xslPath , "" , "email" + , p_bedrijfadres ); params.attachFileName = p_filename; //JGL Volgens mij don't care parameter mailResult = sendMail( p_sender @@ -385,6 +386,7 @@ function SendOrder( p_connect , p_xslPath , p_code , "" + , p_bedrijfadres ) var XMLResult = new ActiveXObject("Msxml2.DOMDocument.6.0"); diff --git a/UTILS/PutOrders/puo_xmltools.js b/UTILS/PutOrders/puo_xmltools.js index ede5dcdb39..b7cb8f9cf3 100644 --- a/UTILS/PutOrders/puo_xmltools.js +++ b/UTILS/PutOrders/puo_xmltools.js @@ -66,6 +66,7 @@ function XML2HTML( body , xslPath , srtnotificatie , mode + , p_bedrijfadres ) { // Transform body=xml according to xslPath=xslfilenaam with optionel srtnotification parameter (e.g. RESBEV) @@ -88,6 +89,55 @@ function XML2HTML( body xslProc.transform(); result = xslProc.output; + // eerst lockeduser(xmlnode,key,bdradr_key) vervangen + // lockeduser(opdracht,12345,910) met 12345 opdracht_key en 910 bedrijfadres_key + var hmacs = result.match(/(lockeduser\([^\)]*\))/g); // heeft nu array van lockeduser(opdracht,12345,910) + for (var i =0; hmacs && i < hmacs.length; i++) + { + var params = hmacs[i].match(/\(([^,]+)\,(\d+),(\d+)\)/); + if (params.length == 4) + { + var xmlnode = params[1]; // We ondersteunen alleen nog maar 'opdracht' + var key = params[2]; + var bdradr_key = params[3]; + var sql = "SELECT prs_bedrijfadres_locksecret" + + " FROM prs_bedrijfadres" + + " WHERE prs_bedrijfadres_key = " + bdradr_key + + " AND prs_bedrijfadres_locksecret IS NOT NULL" + + " AND prs_bedrijfadres_lockuser_key IS NOT NULL"; + var oRs = Oracle.Execute(sql); + var locksecret = oRs("prs_bedrijfadres_locksecret").Value; + oRs.Close(); + var url = "?u={0}&k={1}&lbdr={2}".format(xmlnode, key, bdradr_key); + +// create hmac + var splitter = url.split("?"); + var pad = splitter[0]; + var qs = splitter.length>1?splitter[1]:"x=x"; + var padsplitter = pad.split("/"); + var file = padsplitter[padsplitter.length-1]; // laatste component + // Let op dat protectQS.wsc hetzelfde doet voor Facmgt + var str = file.toUpperCase() + "?" + qs; + + //var hmacced = protectHMAC.create(data, params); + var ts = String(Math.round((new Date).getTime() / 1000)); + var data = ts + ":" + str + Log2File(2, "hmacdata: " + data); + //__Log("sleutel: "+ params.sleutel); + var oCrypto = new ActiveXObject("SLNKDWF.Crypto"); + var sig = oCrypto.hex_hmac_sha1(locksecret, data); + var hmac = oCrypto.hex2base64(sig, false, true); // no padding, urlsafe + oCrypto = null; // Caching klinkt leuk maar Oracle sessies blijven langer hangen? + hmacced = ts+":"+hmac; + + newurl = pad + "?" + qs + "&hmac="+encodeURIComponent(hmacced); + + //var newurl = protectQS.create(url, { sleutel: locksecret, no_user_key: true }); + result = result.replace(hmacs[i], newurl); + } + } + + return result; }