admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AAIT#39909 'anonieme' autorisatie vanuit een link in de bon of e-mail

Browse Source 
svn path=/Website/trunk/; revision=33787
This commit is contained in:
Jos Groot Lipman
2017-05-10 15:16:36 +00:00
parent fb78deffa2
commit f6584c2079
11 changed files with 170 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
APPL/API/shorturl.asp
View File

@@ -38,7 +38,10 @@ __Log("== Entering shorturl.asp ==");
'locatie': { gui: 'appl/alg/alg_locatie.asp?key=' },
'melding': { gui: 'appl/mld/mld_melding.asp?mld_key=', mob: 'appl/pda/melding.asp?mld_key=' },
'message': { gui: 'appl/msg/msg_message.asp?message_key=' },
'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=', mob: 'appl/pda/order.asp?opdr_key=' },
'opdracht': { gui: 'appl/mld/mld_opdr.asp?opdr_key=',
mob: 'appl/pda/order.asp?opdr_key=',
lckgui: 'appl/mld/mld_opdr_actions.asp?opdr_key=',
lckmob: 'appl/mld/mld_opdr_actions.asp?opdr_key=' },
'perslid': { gui: 'appl/prs/prs_perslid.asp?prs_key=', mob: 'appl/pda/user_info.asp?prs_key=' },
'reservering': { gui: 'appl/res/res_reservering.asp?rsv_ruimte_key=', mob: 'appl/pda/reservering.asp?rsv_ruimte_key=' },
'ruimte': { gui: 'appl/alg/alg_ruimte.asp?key=', mob: 'appl/pda/ruimte.asp?ruimte_key=' },
@@ -47,16 +50,33 @@ __Log("== Entering shorturl.asp ==");
}
var keyparam = getQParamInt("k", -1);
var locked_user_key = getQParamInt("luk", -1);
// TODO: beschermen met hmac
// Daarom nog niet geactiveerd
if (locked_user_key > 0)
{
var locked_bdradr_key = getQParamInt("lbdr", -1);
if (locked_bdradr_key > 0)
{ // Eerst: hmac controleren
var sql = "SELECT prs_bedrijfadres_locksecret,"
+ " prs_bedrijfadres_lockuser_key,"
+ " prs_bedrijfadres_lockexpire"
+ " FROM prs_bedrijfadres"
+ " WHERE prs_bedrijfadres_key = " + locked_bdradr_key
+ " AND prs_bedrijfadres_locksecret IS NOT NULL"
+ " AND prs_bedrijfadres_lockuser_key IS NOT NULL";
var oRs = Oracle.Execute(sql);
var locksecret = oRs("prs_bedrijfadres_locksecret").Value;
var lockuser_key = oRs("prs_bedrijfadres_lockuser_key").Value;
var lockexpire = oRs("prs_bedrijfadres_lockexpire").Value;
oRs.Close()
__Log("Checking locked bdradr {0} expire {1} days".format(locked_bdradr_key, lockexpire));
protectQS.verify({ sleutel: locksecret,
expire: lockexpire * 24 * 60,
checkpath: "/", // altijd tegen de root zonder default.asp
no_user_key: true }); // tamper check
var user_allowed = Session("locked_user_allowed") || []; // Array voor als je meerdere tabjes open hebt
var found = false;
for (var i = 0; i < user_allowed.length; i++)
{
if (user_allowed[i].locked_user_key == locked_user_key &&
if (user_allowed[i].locked_user_key == lockuser_key &&
user_allowed[i].xmlnode == u &&
user_allowed[i].key == keyparam)
{
@@ -66,7 +86,7 @@ __Log("== Entering shorturl.asp ==");
}
if (!found)
{
user_allowed.push({ locked_user_key: locked_user_key,
user_allowed.push({ locked_user_key: lockuser_key,
xmlnode: u,
key: keyparam
})
@@ -88,13 +108,15 @@ __Log("== Entering shorturl.asp ==");
checkUserAgent(); // devicebits waren anders mogelijk nog niet gezet
if (device.test(device.isDesktop) || device.test(device.isTouch))
{
url = known_bookmarks[u].gui;
url = locked_bdradr_key > 0? known_bookmarks[u].lckgui : known_bookmarks[u].gui;
}
else
{
url = known_bookmarks[u].mob || known_bookmarks[u].gui;
url = locked_bdradr_key > 0? known_bookmarks[u].lckmob || known_bookmarks[u].lckgui
: known_bookmarks[u].mob || known_bookmarks[u].gui;
isMobile = true;
}
url = url + keyparam;
if (keyparam > -1)
@@ -183,7 +205,7 @@ __Log("== Entering shorturl.asp ==");
else
var theURL = protectQS.create(url);
if (locked_user_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0)
if (locked_bdradr_key < 0 && isKnownBookmark && !isMobile && getQParamInt("internal", 0) == 0)
{
Session("FirstPage") = theURL;
theURL = rooturl + "/";