From 102e4840b3bc11cc84a0ecb784190e7501277ac4 Mon Sep 17 00:00:00 2001 From: Derrell Lipman Date: Fri, 5 Jan 2007 19:29:45 +0000 Subject: r20559: Web Application Framework - Disallow, for now, any ScriptTransport access. A serious security issue has been described, and since we don't currently need it for anything, disable it completely. - Continued clean-up towards implementing the common authentication code (This used to be commit 07817a5489dd8cc6c85c10116f4dba43d798ef03) --- .../source/class/swat/module/AbstractModuleFsm.js | 88 +++++++++++----------- .../swat/source/class/swat/module/ldbbrowse/Fsm.js | 8 +- .../swat/source/class/swat/module/ldbbrowse/Gui.js | 34 ++++----- .../source/class/swat/module/statistics/Fsm.js | 8 +- 4 files changed, 67 insertions(+), 71 deletions(-) (limited to 'webapps/swat') diff --git a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js index cffeb8b00a..a2564e708a 100644 --- a/webapps/swat/source/class/swat/module/AbstractModuleFsm.js +++ b/webapps/swat/source/class/swat/module/AbstractModuleFsm.js @@ -151,10 +151,10 @@ qx.Proto.addAwaitRpcResultState = function(module) function(fsm, event) { // Get the request object - var request = _this.getCurrentRpcRequest(); + var rpcRequest = _this.getCurrentRpcRequest(); // Issue an abort for the pending request - request.abort(); + rpcRequest.request.abort(); } }); state.addTransition(trans); @@ -174,14 +174,14 @@ qx.Proto.addAwaitRpcResultState = function(module) function(fsm, event) { // Get the request object - var request = _this.getCurrentRpcRequest(); + var rpcRequest = _this.getCurrentRpcRequest(); // Generate the result for a completed request - request.setUserData("result", - { - type : "complete", - data : event.getData() - }); + rpcRequest.setUserData("result", + { + type : "complete", + data : event.getData() + }); } }); state.addTransition(trans); @@ -201,14 +201,14 @@ qx.Proto.addAwaitRpcResultState = function(module) function(fsm, event) { // Get the request object - var request = _this.getCurrentRpcRequest(); + var rpcRequest = _this.getCurrentRpcRequest(); // Generate the result for a completed request - request.setUserData("result", - { - type : "failed", - data : event.getData() - }); + rpcRequest.setUserData("result", + { + type : "failed", + data : event.getData() + }); } }); state.addTransition(trans); @@ -221,68 +221,64 @@ qx.Proto.addAwaitRpcResultState = function(module) * @param fsm {qx.util.fsm.FiniteStateMachine} * The finite state machine issuing this remote procedure call. * - * @param service {String} + * @param service {string} * The name of the remote service which provides the specified method. * - * @param method {String} + * @param method {string} * The name of the method within the specified service. * * @param params {Array} * The parameters to be passed to the specified method. * - * @return {qx.io.remote.Request} + * @return {Object} * The request object for the just-issued RPC request. */ qx.Proto.callRpc = function(fsm, service, method, params) { // Create an object to hold a copy of the parameters. (We need a // qx.core.Object() to be able to store this in the finite state machine.) - var o = new qx.core.Object(); + var rpcRequest = new qx.core.Object(); - // copy the parameters; we'll prefix our copy with additional params - o.allParams = params.slice(0); + // Save the service name + rpcRequest.service = service; - // prepend the method - o.allParams.unshift(method); + // Copy the parameters; we'll prefix our copy with additional params + rpcRequest.params = params.slice(0); - // prepend the flag indicating to coalesce failure events - o.allParams.unshift(true); + // Prepend the method + rpcRequest.params.unshift(method); - // prepend the service name - o.allParams.unshift(service); + // Prepend the flag indicating to coalesce failure events + rpcRequest.params.unshift(true); - // Save the complete parameter list in case authentication fails and we need - // to reissue the request. - fsm.addObject("swat.module.rpc_params", o); - // Retrieve the RPC object */ var rpc = fsm.getObject("swat.module.rpc"); // Set the service name - rpc.setServiceName(o.allParams[0]); + rpc.setServiceName(rpcRequest.service); // Issue the request, skipping the already-specified service name - var request = + rpcRequest.request = qx.io.remote.Rpc.prototype.callAsyncListeners.apply(rpc, - o.allParams.slice(1)); + rpcRequest.params); - // Make the request object available to the AwaitRpcResult state - this.pushRpcRequest(request); + // Make the rpc request object available to the AwaitRpcResult state + this.pushRpcRequest(rpcRequest); // Give 'em what they came for - return request; + return rpcRequest; }; /** * Push an RPC request onto the request stack. * - * @param request {qx.io.remote.Request} - * The just-issued request + * @param request {Object} + * The just-issued rpc request object */ -qx.Proto.pushRpcRequest = function(request) +qx.Proto.pushRpcRequest = function(rpcRequest) { - this._requests.push(request); + this._requests.push(rpcRequest); }; @@ -290,8 +286,8 @@ qx.Proto.pushRpcRequest = function(request) * Retrieve the most recent RPC request from the request stack and pop the * stack. * - * @return {qx.io.remote.Request} - * The request from the top of the request stack + * @return {Object} + * The rpc request object from the top of the request stack */ qx.Proto.popRpcRequest = function() { @@ -300,16 +296,16 @@ qx.Proto.popRpcRequest = function() throw new Error("Attempt to pop an RPC request when list is empty."); } - var request = this._requests.pop(); - return request; + var rpcRequest = this._requests.pop(); + return rpcRequest; }; /** * Retrieve the most recent RPC request. * - * @return {qx.io.remote.Request} - * The request at the top of the request stack + * @return {Object} + * The rpc request object at the top of the request stack */ qx.Proto.getCurrentRpcRequest = function() { diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js index 8052d9a579..6b5ae695bf 100644 --- a/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js +++ b/webapps/swat/source/class/swat/module/ldbbrowse/Fsm.js @@ -43,15 +43,15 @@ qx.Proto.buildFsm = function(module) if (fsm.getPreviousState() == "State_AwaitRpcResult") { // Yup. Display the result. We need to get the request object - var request = _this.popRpcRequest(); + var rpcRequest = _this.popRpcRequest(); // Display the result var gui = swat.module.ldbbrowse.Gui.getInstance(); - gui.displayData(module, request); + gui.displayData(module, rpcRequest); // Dispose of the request - request.dispose(); - request = null; + rpcRequest.request.dispose(); + rpcRequest.request = null; } }, diff --git a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js index 9e86be25e9..52db8fdd88 100644 --- a/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js +++ b/webapps/swat/source/class/swat/module/ldbbrowse/Gui.js @@ -114,12 +114,12 @@ qx.Proto.buildGui = function(module) * The result returned by SAMBA to our request. We display the data * provided by this result. */ -qx.Proto.displayData = function(module, request) +qx.Proto.displayData = function(module, rpcRequest) { var gui = module.gui; var fsm = module.fsm; - var result = request.getUserData("result") - var requestType = request.getUserData("requestType"); + var result = rpcRequest.getUserData("result") + var requestType = rpcRequest.getUserData("requestType"); // Did the request fail? if (result.type == "failed") @@ -133,19 +133,19 @@ qx.Proto.displayData = function(module, request) switch(requestType) { case "find": - this._displayFindResults(module, request); + this._displayFindResults(module, rpcRequest); break; case "tree_open": - this._displayTreeOpenResults(module, request); + this._displayTreeOpenResults(module, rpcRequest); break; case "tree_selection_changed": - this._displayTreeSelectionChangedResults(module, request); + this._displayTreeSelectionChangedResults(module, rpcRequest); break; case "database_name_changed": - this._clearAllFields(module, request); + this._clearAllFields(module, rpcRequest); break; default: @@ -409,7 +409,7 @@ qx.Proto._buildPageBrowse = function(module, page) }; -qx.Proto._displayFindResults = function(module, request) +qx.Proto._displayFindResults = function(module, rpcRequest) { var rowData = []; var fsm = module.fsm; @@ -418,7 +418,7 @@ qx.Proto._displayFindResults = function(module, request) var maxLen = 0; // Obtain the result object - result = request.getUserData("result").data; + result = rpcRequest.getUserData("result").data; if (result && result["length"]) { @@ -497,18 +497,18 @@ qx.Proto._displayFindResults = function(module, request) }; -qx.Proto._displayTreeOpenResults = function(module, request) +qx.Proto._displayTreeOpenResults = function(module, rpcRequest) { var t; var trs; var child; // Obtain the result object - var result = request.getUserData("result").data; + var result = rpcRequest.getUserData("result").data; // We also need some of the original parameters passed to the request - var parent = request.getUserData("parent"); - var attributes = request.getUserData("attributes"); + var parent = rpcRequest.getUserData("parent"); + var attributes = rpcRequest.getUserData("attributes"); // Any children? if (! result || result["length"] == 0) @@ -548,12 +548,12 @@ qx.Proto._displayTreeOpenResults = function(module, request) }; -qx.Proto._displayTreeSelectionChangedResults = function(module, request) +qx.Proto._displayTreeSelectionChangedResults = function(module, rpcRequest) { var fsm = module.fsm; // Obtain the result object - var result = request.getUserData("result").data; + var result = rpcRequest.getUserData("result").data; // If we received an empty list, ... if (result == null) @@ -612,10 +612,10 @@ qx.Proto._displayTreeSelectionChangedResults = function(module, request) }; -qx.Proto._clearAllFields = function(module, request) +qx.Proto._clearAllFields = function(module, rpcRequest) { // Obtain the result object - var result = request.getUserData("result").data; + var result = rpcRequest.getUserData("result").data; // Retrieve the database handle module.dbHandle = result; diff --git a/webapps/swat/source/class/swat/module/statistics/Fsm.js b/webapps/swat/source/class/swat/module/statistics/Fsm.js index 1aeab8a4a3..5e4843691c 100644 --- a/webapps/swat/source/class/swat/module/statistics/Fsm.js +++ b/webapps/swat/source/class/swat/module/statistics/Fsm.js @@ -67,15 +67,15 @@ qx.Proto.buildFsm = function(module) if (fsm.getPreviousState() == "State_AwaitRpcResult") { // Yup. Display the result. We need to get the request object - var request = _this.popRpcRequest(); + var rpcRequest = _this.popRpcRequest(); // Display the result var gui = swat.module.statistics.Gui.getInstance(); - gui.displayData(module, request.getUserData("result")); + gui.displayData(module, rpcRequest.getUserData("result")); // Dispose of the request - request.dispose(); - request = null; + rpcRequest.request.dispose(); + rpcRequest.request = null; // Restart the timer. swat.module.statistics.Fsm._startTimer(fsm); -- cgit