Changing tableName of a ZEN-Tablepane on server

ZEN, Caché

Hi,

we are moving an existing ZEN-Application to a new version of Caché (2017.2.2). It is a rather old application and we need to do some modifications due to the thightend security of ZEN in this and prior release (we came from 2013.1). One of the changes required is to alter a table Name of a ZEN-Table on the server-side. Anyway this gives us a problem, since we receive an error

ERROR #5001: Client modification of protected property ( tableName) disallowed for security reasons.
SOURCELEMENT: %ZEN.Component.tablePane (tpSimilarity)

The tableName change is triggered from a js method

ClientMethod changeView() [ Language = javascript ]
{
var table zenPage.getComponentById('tpSimilarity');
var selectedView zenPage.getComponentById('SearchType').getProperty('text');

var tSyncMode zenSynchronousMode;
zenSynchronousMode true;
zenPage.SetTableName('tpSimilarity', "MyApp_Maps.dyn" selectedView "View");
zenSynchronousMode tSyncMode;
alert(table.getProperty('tableName'));

// label name: 'View: <conf>'
table.setProperty("label", "View: " selectedView);

zenPage.doRefresh();
}

invoking the ZenMethod SetTableName on the server

Method SetTableName(
pComponent,
pTableName) As %Status [ ZenMethod ]
{
Set %page.%GetComponentById(pComponent).tableName = pTableName
Quit $$$OK
}

When view is to be changed we receive the above mentioned error. Is there something wrong in the way we are trying to set the tableName property of the table on the server? How can a change on the server be done?

kind regards,

sebastian


 

Answers

Hi,

as my advisor told me. This is a bug in Ensemble/Caché release 2017.2.2 since the intended behaviour to set sqltablename on serverside is sufficient and this specific security consideration reported a "false positive" - if I got it right a correction for this is available with ensemle 2018.1 and is identified as SAM524. The current workaround is to use both approaches setting tablename on the server and use permitclientsql = "true".

Anyway I´ll mark this issue here as solved/answered.

Best regards,

Sebastian

Comments

Hi,

after talking to WRC and some testing. The approach altering the ZEN tablePane, tableName on the server as depicted above works until 2017.1.2. From 2017.2.1 it seems to be reqiured to have an additional property for the tablePane to be set. This property is calles ´permitClientSQL´ (set to true). This isn´t well documented in my opinion and the behaviour is to weaken the security. But even when set to true this property still requires to have the tableName property on the server despite documentation says something different.

They´ll have a look at it, since my advior himself wasn´t quite sure what that change between 2017.1 and 2017.2 is about. Keep you update when I´ve got some new details.

best regards,

sebastian