From d5b215deb52f9f8e4ba8380ac7df29cca7d6025b Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bernd=20Ble=C3=9Fmann?= <bernd@kivitendo-premium.de>
Date: Tue, 29 Sep 2015 13:47:31 +0200
Subject: [PATCH] Auftrags-Controller: PDF-Download: Dateiname als
 session_value speichern.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Damit muss der Dateiname nicht mehr an den Client übertragen werden.
---
 SL/Controller/Order.pm             | 12 ++++++------
 templates/webpages/order/form.html |  4 ++--
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/SL/Controller/Order.pm b/SL/Controller/Order.pm
index 1878cc7a2..3010b5bb9 100644
--- a/SL/Controller/Order.pm
+++ b/SL/Controller/Order.pm
@@ -120,21 +120,21 @@ sub action_create_pdf {
   $sfile->fh->print($pdf);
   $sfile->fh->close;
 
-  # get temporary session filename with stripped path
-  my (undef, undef, $tmp_filename) = File::Spec->splitpath($sfile->file_name);
+  my $key = join('_', Time::HiRes::gettimeofday(), int rand 1000000000000);
+  $::auth->set_session_value("Order::create_pdf-${key}" => $sfile->file_name);
+
   my $pdf_filename =  t8('Sales Order') . '_' . $self->order->ordnumber . '.pdf';
 
   $self->js
-    ->run('download_pdf', $tmp_filename, $pdf_filename)
+    ->run('download_pdf', $pdf_filename, $key)
     ->flash('info', t8('The PDF has been created'))->render($self);
 }
 
 sub action_download_pdf {
   my ($self) = @_;
 
-  # given tmp_filename should contain no path, so strip if any
-  my (undef, undef, $tmp_filename) = File::Spec->splitpath($::form->{tmp_filename});
-  my $tmp_filename = File::Spec->catfile(SL::SessionFile->new->get_path, $tmp_filename);
+  my $key = $::form->{key};
+  my $tmp_filename = $::auth->get_session_value("Order::create_pdf-${key}");
   return $self->send_file(
     $tmp_filename,
     type => 'application/pdf',
diff --git a/templates/webpages/order/form.html b/templates/webpages/order/form.html
index a1d90e172..31a4dc019 100644
--- a/templates/webpages/order/form.html
+++ b/templates/webpages/order/form.html
@@ -54,11 +54,11 @@ function create_pdf() {
   $.post("controller.pl", data, kivi.eval_json_result);
 }
 
-function download_pdf(tmp_filename, pdf_filename) {
+function download_pdf(pdf_filename, key) {
   var data = 'action=Order/download_pdf';
   data += '&type=' + $('#type').val();
-  data += '&tmp_filename=' + tmp_filename;
   data += '&pdf_filename=' + pdf_filename;
+  data += '&key=' + key;
   $.download("controller.pl", data);
 }
 
-- 
2.20.1