 |
|
You are here: Leader.IT>MasonSQL Web>DbmsLibraryComponent>DbmsLibraryAuthorizationMethods (21 Sep 2016, JanezStangelj)Edit Attach
Authorization Methods and Subroutines
[SQL injection check] Queries generated by the GUI are controlled by the server.Subroutines
| Subroutine Name | Parameter Name | Valid Input | Description |
|---|---|---|---|
check_where_clause() |
|||
Permission() |
|||
$permission_group |
Group to which user must be authorized. | ||
$table |
Name of the table for which the permission is being checked. | ||
ReportMethod() |
The subroutine checks the $report parameter for suffix and returns which report utility is used. |
||
$report |
report_name.odt, report_name.pdf, report_name.rep |
Report name. If the $report is not defined or there is no suffix the utility is chosen based on value of the DefaultReportEngine variable from the Apache config file. |
|
CheckIfReportExists() |
If the report method is odt or pdf the subroutine checks if the report name can be found in public.odt_reports table. If the report method is rep the subroutine uses FindReportmanFile() to search and validate the found report file. The subroutine returns 1 on success and 0 on failure. |
||
$table |
Name of the table for which the permission is being checked. |
check_where_clause() subroutine parses the query and verifies that only authorized keywords, fields and operators are used. Here are the methods that change its behavior:
Methods
| Method Name | Description | Default Contents |
|---|---|---|
PERMISSION |
Is used for overriding of the default PERMISSION_BY_PROFILE. |
<%method PERMISSION><&SELF:PERMISSION_BY_PROFILE&></%method> |
AUTHORIZED_OPERATORS |
A list of authorized operators. Used to check queries from browser. | Default authorized operators are <=, >=, =, <, >, =, ~*, LIKE, ILIKE |
AUTHORIZED_KEYWORDS |
A list of authorized keywords. Used to check queries from browser. | Default keywords are AND, OR, NOT, IS, NULL. |
AUTHORIZED_FIELDS |
A list of authorized fields. Used to check queries from browser. | Default list is <& SELF:KEY &>, <& SELF:FIELDS &>, <& SELF:FIND_FIELDS &> |
AUTHORIZED_FUNCTIONS |
A list of authorized functions. Used to check queries from browser. | Empty. |
PERMISSION_BY_PROFILE |
It reads permissions for the record-set manipulation based on the user's profile. It is used often to return user's permissions of the current FUNZIONE. |
Possible return values:INSERT, SELECT, UPDATE, DELETE, ...; Empty return is equivalent to have no permissions allowed; * is equivalent to having all permissions. |
Edit | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 21 Sep 2016, JanezStangelj
Blog
Copyright (©) Leader.IT - Italy P.I. IT01434390223 Privacy policy & use of cookies