From 1e559204e0bbd40531053106c56f55c352f33ac2 Mon Sep 17 00:00:00 2001 From: Robin Sonefors Date: Tue, 29 Apr 2014 18:45:11 +0200 Subject: [PATCH] reports: Don't validate report names in javascript It provides no protection - seriously, *javascript* validation! - while leaking information about other users' saved reports. That's a suboptimal trade-off if I ever saw one. Change-Id: I303869b5daf14941b178841bd1511da0726c629d Signed-off-by: Robin Sonefors --- application/views/reports/js/common.js | 10 ---------- modules/reports/controllers/reports.php | 9 --------- modules/reports/controllers/summary.php | 15 --------------- 3 files changed, 34 deletions(-) diff --git a/application/views/reports/js/common.js b/application/views/reports/js/common.js index b92be1f0f..5516653e4 100644 --- a/application/views/reports/js/common.js +++ b/application/views/reports/js/common.js @@ -1,4 +1,3 @@ -var invalid_report_names = ''; var current_filename; var sla_month_error_color = 'red'; var sla_month_disabled_color = '#cdcdcd'; @@ -483,15 +482,6 @@ function check_form_values(form) if (!errors) { $('#response', form).html(''); - // check if report name is unique - if(report_name && saved_report_id == '' && invalid_report_names && invalid_report_names.has(report_name)) - { - if(!confirm(_reports_error_name_exists_replace)) - { - return false; - } - } - $('#response', form).hide(); return true; } diff --git a/modules/reports/controllers/reports.php b/modules/reports/controllers/reports.php index ee1bdc1e0..e8452859b 100644 --- a/modules/reports/controllers/reports.php +++ b/modules/reports/controllers/reports.php @@ -44,8 +44,6 @@ class Reports_Controller extends Base_reports_Controller Session::instance()->set('current_report_params', null); Session::instance()->set('main_report_params', null); - $old_config_names = Saved_reports_Model::get_all_report_names($this->type); - $old_config_names_js = empty($old_config_names) ? "false" : "new Array('".implode("', '", array_map('addslashes', $old_config_names))."');"; $type_str = $this->type == 'avail' ? _('availability') : _('SLA'); @@ -102,9 +100,6 @@ class Reports_Controller extends Base_reports_Controller if ($this->options['report_id']) $this->js_strings .= "var _report_data = " . $this->options->as_json() . "\n"; - $this->inline_js .= "invalid_report_names = ".$old_config_names_js .";\n"; - - $this->js_strings .= "var nr_of_scheduled_instances = ". (!empty($scheduled_info) ? sizeof($scheduled_info) : 0).";\n"; $this->js_strings .= "var _reports_propagate = '"._('Would you like to propagate this value to all months?')."';\n"; $this->js_strings .= "var _reports_propagate_remove = '"._("Would you like to remove all values from all months?")."';\n"; @@ -202,10 +197,6 @@ class Reports_Controller extends Base_reports_Controller $this->xtra_css[] = $this->add_path('reports/css/tgraph.css'); $this->template->css_header = $this->add_view('css_header'); - $old_config_names = Saved_reports_Model::get_all_report_names($this->type); - $old_config_names_js = empty($old_config_names) ? "false" : "new Array('".implode("', '", array_map("addslashes", $old_config_names))."');"; - $this->inline_js .= "invalid_report_names = ".$old_config_names_js .";\n"; - $this->template->content = $this->add_view('reports/index'); # base template with placeholders for all parts $template = $this->template->content; diff --git a/modules/reports/controllers/summary.php b/modules/reports/controllers/summary.php index fb10d3b18..87482be22 100644 --- a/modules/reports/controllers/summary.php +++ b/modules/reports/controllers/summary.php @@ -68,12 +68,6 @@ class Summary_Controller extends Base_reports_Controller unset($_SESSION['report_err_msg']); } - # get all saved reports for user - $saved_reports = Saved_reports_Model::get_saved_reports($this->type); - - $old_config_names = Saved_reports_Model::get_all_report_names($this->type); - $old_config_names_js = empty($old_config_names) ? "false" : "new Array('".implode("', '", array_map('addslashes', $old_config_names))."');"; - $this->template->js_header = $this->add_view('js_header'); $this->xtra_js[] = 'application/media/js/jquery.datePicker.js'; $this->xtra_js[] = 'application/media/js/jquery.timePicker.js'; @@ -86,7 +80,6 @@ class Summary_Controller extends Base_reports_Controller $this->js_strings .= reports::js_strings(); $this->js_strings .= "var _scheduled_label = '"._('Scheduled')."';\n"; - $this->inline_js .= "var invalid_report_names = ".$old_config_names_js .";\n"; if ($this->options['report_id']) { $this->js_strings .= "var _report_data = " . $this->options->as_json() . "\n"; @@ -102,8 +95,6 @@ class Summary_Controller extends Base_reports_Controller $this->template->js_strings = $this->js_strings; $template->type = $this->type; - $template->old_config_names_js = $old_config_names_js; - $template->old_config_names = $old_config_names; $template->scheduled_ids = $scheduled_ids; $template->scheduled_periods = $scheduled_periods; @@ -172,12 +163,6 @@ class Summary_Controller extends Base_reports_Controller $this->xtra_css[] = $this->add_path('reports/css/datePicker.css'); $this->template->css_header->css = $this->xtra_css; - if ($this->type == 'summary') { - $old_config_names = Saved_reports_Model::get_all_report_names($this->type); - $old_config_names_js = empty($old_config_names) ? "false" : "new Array('".implode("', '", array_map('addslashes', $old_config_names))."');"; - $this->inline_js .= "var invalid_report_names = ".$old_config_names_js .";\n"; - } - if($this->options['report_period'] && $this->options['report_period'] != 'custom') $report_time_formatted = $this->options->get_value('report_period'); else -- 2.11.4.GIT