I. Overview
1. Version
Report server version | JAR package version |
---|---|
10.0 | 2019-12-05 |
2. Problem description
A web report type hyperlink is set in the report. If the user does not have the authority of the sub-report to which the hyperlink points, can the user view the sub-report after clicking the hyperlink? Can the hyperlinked subreport inherit the authority of the main report?
The following will sort out the logic of hyperlink inheritance permissions. Allow users to clearly understand the method of FineReport hyperlink inheriting permissions to avoid permission leakage.
Note 1: Because the hyperlink jump in the URL will carry the hyperlinktoken, within the half-hour validity period, the token can be used to view the data of all other templates, which will lead to unauthorized access. Therefore, the JAR package of 2019-12-05 and later versions have added user login restrictions.
Note 2: FineReport has no sharing function. The so-called sharing is to copy the URL of the current report to others.
II. Logical description
Users can open FineReport reports in two scenarios: open on the decision-making platform and open on the decision-making platform.
The way to configure report permissions in these two scenarios is the same, both are through template authentication to configure template permissions. For details on template authentication, see: Template Authentication
Note: Only when the hyperlink method is a template path, the hyperlink authority can be inherited. The following two methods do not support permission inheritance:
1) The parameters are written directly after the template path
2) Fill in the template preview URL in the web page link
1. Open report on the decision-making platform
If the user directly uses the FineReport decision-making platform to open the report, there are only three types of template access methods to verify template permissions in this scenario: template type homepage, template homepage via link, and template directory via link.
The platform directory directly mounts the template without verifying the template permissions. You only need to configure the directory permissions for the corresponding user in Permission Management> Permission Configuration, and the user can view the template content normally.
If the user does not have the permission of the sub-report to be opened by the hyperlink, at this time, if you want to view the sub-report, you need to let the sub-report inherit the permission of the main report, because it will be more cumbersome to set the template authentication permission of the sub-report again.
In order to facilitate understanding, a detailed example of user operation scenarios is given (only the role authentication scenario is introduced here)
Operating scene | Authentication & Permission | View the hyperlink table for JAR packages of versions after 2019-12-05 |
---|---|---|
User A logs in to the platform> Open report 1> Hyperlink to report 2 | Statement 2 requires certification User A does not have permission to report 2 | Open a new window/new tab in the platform/dialog box/current page/current tab in the platform: you can directly view the report 2 |
User A logs in to the platform>Open Report 1>Hyperlink to Report 2>Copy the URL of Report 2 to a new browser | Statement 2 requires certification User A has no permission User B has permission User C has no permission | Prompt to log in, after user A logs in: You can view report 2 before token expires The token cannot be viewed after the timeout, and you need to reopen it with the hyperlink of report 1 Prompt to log in, after user B logs in: You can view report 2, and the template data will be filtered according to user B's permissions Prompt to log in, after user C logs in: Prompt no permission |
User A logs in to the platform>Open Report 1>Hyperlink to Report 2>Copy the URL of Report 2 to a new tab page in the same browser | Statement 2 requires certification User A does not have permission to report 2 | You can view report 2 before token expires The token cannot be viewed after the timeout, and you need to reopen it with the hyperlink of report 1 |
2. Don't open report on the decision-making platform
If the user integrates the report into his own system to open it, the user also needs to pass template authentication to configure template permissions in this scenario.
At this time, the sub-report opened by the hyperlink also needs to inherit the permissions of the main report. This is also very common, because in the case of a lot of reports, the administrator usually only sets the permissions of the main report, and there may be many hyperlinked sub-reports. At this time, it will be very troublesome to set the permissions one by one.
Also for ease of understanding, a detailed example of user operation scenarios is given:
1) Role authorization authentication
Operating scene | Authentication & Permission | View the hyperlink table for JAR packages of versions after 2019-12-05 |
---|---|---|
User A> open report 1> hyperlink to report 2 | Both report 1 and report 2 require certification User A has the authority of report 1, but no authority of report 2 | User A can directly view report 2 before the token expires Prompt to log in after the token expires, user A cannot view report 2 after logging in, and needs to use the hyperlink of report 1 to open it again, and report 1 also needs to log in again |
User A>open report1>hyperlink to report2>copy the URL of report2 to a new browser | Both report 1 and report 2 require certification User A has the authority of report 1, but no authority of report 2 User B has permission to report 2 | Prompt to log in, after user A logs in: You can view report 2 before token expires Prompt to log in after the token expires, user A cannot view report 2 after logging in, and needs to reopen it with the hyperlink of report 1 Prompt to log in, after user B logs in: The authorized data in report 2 can be viewed normally |
User A>open report 1> hyperlink to report 2> copy the URL of report 2 to a new tab page in the same browser | Statement 2 requires certification User A does not have permission to report 2 | User A does not need to log in to view report 2 before the token expires Prompt to log in after the token expires, user A cannot view report 2 after logging in, and needs to use the hyperlink of report 1 to open it again |
2) Only authenticate user password
Operating scene | Authentication & Permission | View the hyperlink table for JAR packages of versions after 2019-12-05 |
---|---|---|
User A> open report 1> hyperlink to report 2 | Report 2 requires certification | User A can view report 2 before the token expires After the token expires, user A refreshes report 2 and prompts to log in. Any user who logs in can view the contents of report 2 normally. |
User A>open report1>hyperlink to report2>copy the URL of report2 to a new browser | Both report 1 and report 2 require certification | Prompt to log in, after user A logs in: You can view report 2 before token expires You need to log in again after the timeout, and you can view it normally after logging in Prompt to log in, after user B logs in: You can view the authorized data in report 2 before the token expires You need to log in again after the timeout, and you can view it normally after logging in |
User A>open report 1> hyperlink to report 2> copy the URL of report 2 to a new tab page in the same browser | Statement 2 requires certification | User A can view report 2 without logging in before the token expires After the token expires, user A needs to log in again to be normal |
3) Digital signature
Operating scene | Authentication & Permission | View the hyperlink table for JAR packages of versions after 2019-12-05 |
---|---|---|
User A> open report 1> hyperlink to report 2 | Both report 1 and report 2 require certification | User A can view report 2 before the token expires After the token expires, report 2 cannot be viewed. You need to reopen it with the hyperlink of report 1, but make sure that the digital signature of report 1 has not expired, otherwise it will be invalid. |
User A>open report1>hyperlink to report2>copy the URL of report2 to a new browser | ||
User A>open report 1> hyperlink to report 2> copy the URL of report 2 to a new tab page in the same browser |
4) Do not open authentication
Operating scene | View the hyperlink table for JAR packages of versions after 2019-12-05 |
---|---|
Open report 1> hyperlink to report 2 | No need to log in, you can always view the contents of report 1 and report 2 |
Open report1>hyperlink to report2>copy the URL of report2 to a new browser | No need to log in, you can always view the contents of report 1 and report 2 |
Open report 1> hyperlink to report 2> copy the URL of report 2 to a new tab page in the same browser | No need to log in, you can always view the contents of report 1 and report 2 |