r20559: Web Application Framework

- Disallow, for now, any ScriptTransport access.  A serious security issue has
  been described, and since we don't currently need it for anything, disable
  it completely.

- Continued clean-up towards implementing the common authentication code
(This used to be commit 07817a5489dd8cc6c85c10116f4dba43d798ef03)

4 files changed, 67 insertions, 71 deletions

diff --git a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
index cffeb8b00a..a2564e708a 100644
--- a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
+++ b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js
@@ -151,10 +151,10 @@ qx.Proto.addAwaitRpcResultState = function(module)
         function(fsm, event)
         {
           // Get the request object
-          var request = _this.getCurrentRpcRequest();
+          var rpcRequest = _this.getCurrentRpcRequest();
 
           // Issue an abort for the pending request
-          request.abort();
+          rpcRequest.request.abort();
         }
     });
   state.addTransition(trans);
@@ -174,14 +174,14 @@ qx.Proto.addAwaitRpcResultState = function(module)
         function(fsm, event)
         {
           // Get the request object
-          var request = _this.getCurrentRpcRequest();
+          var rpcRequest = _this.getCurrentRpcRequest();
           
           // Generate the result for a completed request
-          request.setUserData("result",
-                              {
-                                  type : "complete",
-                                  data : event.getData()
-                              });
+          rpcRequest.setUserData("result",
+                                  {
+                                      type : "complete",
+                                      data : event.getData()
+                                  });
         }
     });
   state.addTransition(trans);
@@ -201,14 +201,14 @@ qx.Proto.addAwaitRpcResultState = function(module)
         function(fsm, event)
         {
           // Get the request object
-          var request = _this.getCurrentRpcRequest();
+          var rpcRequest = _this.getCurrentRpcRequest();
           
           // Generate the result for a completed request
-          request.setUserData("result",
-                              {
-                                  type : "failed",
-                                  data : event.getData()
-                              });
+          rpcRequest.setUserData("result",
+                                  {
+                                      type : "failed",
+                                      data : event.getData()
+                                  });
         }
     });
   state.addTransition(trans);
@@ -221,68 +221,64 @@ qx.Proto.addAwaitRpcResultState = function(module)
  * @param fsm {qx.util.fsm.FiniteStateMachine}
  *   The finite state machine issuing this remote procedure call.
  *
- * @param service {String}
+ * @param service {string}
  *   The name of the remote service which provides the specified method.
  *
- * @param method {String}
+ * @param method {string}
  *   The name of the method within the specified service.
  *
  * @param params {Array}
  *   The parameters to be passed to the specified method.
  *
- * @return {qx.io.remote.Request}
+ * @return {Object}
  *   The request object for the just-issued RPC request.
  */
 qx.Proto.callRpc = function(fsm, service, method, params)
 {
   // Create an object to hold a copy of the parameters.  (We need a
   // qx.core.Object() to be able to store this in the finite state machine.)
-  var o = new qx.core.Object();
+  var rpcRequest = new qx.core.Object();
 
-  // copy the parameters; we'll prefix our copy with additional params
-  o.allParams = params.slice(0);
+  // Save the service name
+  rpcRequest.service = service;
 
-  // prepend the method
-  o.allParams.unshift(method);
+  // Copy the parameters; we'll prefix our copy with additional params
+  rpcRequest.params = params.slice(0);
 
-  // prepend the flag indicating to coalesce failure events
-  o.allParams.unshift(true);
+  // Prepend the method
+  rpcRequest.params.unshift(method);
 
-  // prepend the service name
-  o.allParams.unshift(service);
+  // Prepend the flag indicating to coalesce failure events
+  rpcRequest.params.unshift(true);
 
-  // Save the complete parameter list in case authentication fails and we need
-  // to reissue the request.
-  fsm.addObject("swat.module.rpc_params", o);
-  
   // Retrieve the RPC object */
   var rpc = fsm.getObject("swat.module.rpc");
 
   // Set the service name
-  rpc.setServiceName(o.allParams[0]);
+  rpc.setServiceName(rpcRequest.service);
 
   // Issue the request, skipping the already-specified service name
-  var request =
+  rpcRequest.request =
     qx.io.remote.Rpc.prototype.callAsyncListeners.apply(rpc,
-                                                        o.allParams.slice(1));
+                                                        rpcRequest.params);
 
-  // Make the request object available to the AwaitRpcResult state
-  this.pushRpcRequest(request);
+  // Make the rpc request object available to the AwaitRpcResult state
+  this.pushRpcRequest(rpcRequest);
 
   // Give 'em what they came for
-  return request;
+  return rpcRequest;
 };
 
 
 /**
  * Push an RPC request onto the request stack.
  *
- * @param request {qx.io.remote.Request}
- *   The just-issued request
+ * @param request {Object}
+ *   The just-issued rpc request object
  */
-qx.Proto.pushRpcRequest = function(request)
+qx.Proto.pushRpcRequest = function(rpcRequest)
 {
-  this._requests.push(request);
+  this._requests.push(rpcRequest);
 };
 
 
@@ -290,8 +286,8 @@ qx.Proto.pushRpcRequest = function(request)
  * Retrieve the most recent RPC request from the request stack and pop the
  * stack.
  *
- * @return {qx.io.remote.Request}
- *   The request from the top of the request stack
+ * @return {Object}
+ *   The rpc request object from the top of the request stack
  */
 qx.Proto.popRpcRequest = function()
 {
@@ -300,16 +296,16 @@ qx.Proto.popRpcRequest = function()
     throw new Error("Attempt to pop an RPC request when list is empty.");
   }
 
-  var request = this._requests.pop();
-  return request;
+  var rpcRequest = this._requests.pop();
+  return rpcRequest;
 };
 
 
 /**
  * Retrieve the most recent RPC request.
  *
- * @return {qx.io.remote.Request}
- *   The request at the top of the request stack
+ * @return {Object}
+ *   The rpc request object at the top of the request stack
  */
 qx.Proto.getCurrentRpcRequest = function()
 {
diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
index 8052d9a579..6b5ae695bf 100644
--- a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
+++ b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js
@@ -43,15 +43,15 @@ qx.Proto.buildFsm = function(module)
           if (fsm.getPreviousState() == "State_AwaitRpcResult")
           {
             // Yup.  Display the result.  We need to get the request object
-            var request = _this.popRpcRequest();
+            var rpcRequest = _this.popRpcRequest();
 
             // Display the result
             var gui = swat.module.ldbbrowse.Gui.getInstance();
-            gui.displayData(module, request);
+            gui.displayData(module, rpcRequest);
 
             // Dispose of the request
-            request.dispose();
-            request = null;
+            rpcRequest.request.dispose();
+            rpcRequest.request = null;
           }
         },
 
diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
index 9e86be25e9..52db8fdd88 100644
--- a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
+++ b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js
@@ -114,12 +114,12 @@ qx.Proto.buildGui = function(module)
  *   The result returned by SAMBA to our request.  We display the data
  *   provided by this result.
  */
-qx.Proto.displayData = function(module, request)
+qx.Proto.displayData = function(module, rpcRequest)
 {
   var gui = module.gui;
   var fsm = module.fsm;
-  var result = request.getUserData("result")
-  var requestType = request.getUserData("requestType");
+  var result = rpcRequest.getUserData("result")
+  var requestType = rpcRequest.getUserData("requestType");
 
   // Did the request fail?
   if (result.type == "failed")
@@ -133,19 +133,19 @@ qx.Proto.displayData = function(module, request)
   switch(requestType)
   {
   case "find":
-    this._displayFindResults(module, request);
+    this._displayFindResults(module, rpcRequest);
     break;
     
   case "tree_open":
-    this._displayTreeOpenResults(module, request);
+    this._displayTreeOpenResults(module, rpcRequest);
     break;
 
   case "tree_selection_changed":
-    this._displayTreeSelectionChangedResults(module, request);
+    this._displayTreeSelectionChangedResults(module, rpcRequest);
     break;
 
   case "database_name_changed":
-    this._clearAllFields(module, request);
+    this._clearAllFields(module, rpcRequest);
     break;
 
   default:
@@ -409,7 +409,7 @@ qx.Proto._buildPageBrowse = function(module, page)
 };
 
 
-qx.Proto._displayFindResults = function(module, request)
+qx.Proto._displayFindResults = function(module, rpcRequest)
 {
   var rowData = [];
   var fsm = module.fsm;
@@ -418,7 +418,7 @@ qx.Proto._displayFindResults = function(module, request)
   var maxLen = 0;
 
   // Obtain the result object
-  result = request.getUserData("result").data;
+  result = rpcRequest.getUserData("result").data;
 
   if (result && result["length"])
   {
@@ -497,18 +497,18 @@ qx.Proto._displayFindResults = function(module, request)
 };
 
 
-qx.Proto._displayTreeOpenResults = function(module, request)
+qx.Proto._displayTreeOpenResults = function(module, rpcRequest)
 {
   var t;
   var trs;
   var child;
 
   // Obtain the result object
-  var result = request.getUserData("result").data;
+  var result = rpcRequest.getUserData("result").data;
 
   // We also need some of the original parameters passed to the request
-  var parent = request.getUserData("parent");
-  var attributes = request.getUserData("attributes");
+  var parent = rpcRequest.getUserData("parent");
+  var attributes = rpcRequest.getUserData("attributes");
 
   // Any children?
   if (! result || result["length"] == 0)
@@ -548,12 +548,12 @@ qx.Proto._displayTreeOpenResults = function(module, request)
 };
 
 
-qx.Proto._displayTreeSelectionChangedResults = function(module, request)
+qx.Proto._displayTreeSelectionChangedResults = function(module, rpcRequest)
 {
   var fsm = module.fsm;
 
   // Obtain the result object
-  var result = request.getUserData("result").data;
+  var result = rpcRequest.getUserData("result").data;
 
   // If we received an empty list, ...
   if (result == null)
@@ -612,10 +612,10 @@ qx.Proto._displayTreeSelectionChangedResults = function(module, request)
 };
 
 
-qx.Proto._clearAllFields = function(module, request)
+qx.Proto._clearAllFields = function(module, rpcRequest)
 {
   // Obtain the result object
-  var result = request.getUserData("result").data;
+  var result = rpcRequest.getUserData("result").data;
 
   // Retrieve the database handle
   module.dbHandle = result;
diff --git a/webapps/swat/source/class/swat/module/statistics/Fsm.js b/webapps/swat/source/class/swat/module/statistics/Fsm.js
index 1aeab8a4a3..5e4843691c 100644
--- a/webapps/swat/source/class/swat/module/statistics/Fsm.js
+++ b/webapps/swat/source/class/swat/module/statistics/Fsm.js
@@ -67,15 +67,15 @@ qx.Proto.buildFsm = function(module)
           if (fsm.getPreviousState() == "State_AwaitRpcResult")
           {
             // Yup.  Display the result.  We need to get the request object
-            var request = _this.popRpcRequest();
+            var rpcRequest = _this.popRpcRequest();
 
             // Display the result
             var gui = swat.module.statistics.Gui.getInstance();
-            gui.displayData(module, request.getUserData("result"));
+            gui.displayData(module, rpcRequest.getUserData("result"));
 
             // Dispose of the request
-            request.dispose();
-            request = null;
+            rpcRequest.request.dispose();
+            rpcRequest.request = null;
 
             // Restart the timer.
             swat.module.statistics.Fsm._startTimer(fsm);