Using the example of "Trade Management 11.3", we will consider a simple process of connecting an external printing plate. We will also consider the features of the new security system.
Fast passage
Preliminary actions
First you should enable functionality or check its availability
1. We go under full rights to the information base.
2. Go to the menu "Reference data and administration" / Block "Administration" / Command "Printing forms, reports and processing".
Adding
In the section that opens:
Add processing by clicking the "Create" button (this is important) or "Updating!" existing:
- Select it in the list (if not selected or empty, the command will not work, but will not say anything).
- Press the button "Load from file".
After the appearance for 1C in external processing, security checks appeared in new configurations.
You should install only processing created independently or obtained through known communication channels (not from mail, only from a site with a valid certificate, or provided by the developer's employees, confirmed by him by phone).
If the developer has written everything for processing, then "Placement" will be set - objects in which processing will be involved, the command (s) will appear.
To work, it will be enough to click "Record and Close".
Examination
Immediately after that, depending on the type of processing:
- The printable becomes available when you open a document or from its list (for already opened when reopening) by clicking the "Print" button.
- Treatments are available in the sections "Additional treatments" in each subsystem
- Processing of filling by clicking the "Fill" button in the list or the main command panel of the object form.
For the above processing, the launch will look like this:
If the document is new, it should be written, the external processing mechanism will warn you about this:
Further behavior depends on the built-in functionality: it is possible to open a form or simple data processing.
Security warnings in 1C
In new platform releases and configurations, protection against the launch of malicious programs has been increased.
In processing, Excel may be called for loading, in which case the new security subsystem will also warn you:
In this case, the handler code is interrupted.
If you click "Yes", the system will ask you to call the command again:
It is possible for the infobase user to disable protection against dangerous actions through the Configurator:
This cannot be changed from the "Enterprise" mode, perhaps it was done on purpose, it may appear after the update.
It should also be noted that if processing uses Excel, it must run in an unsafe mode (this was the case before the introduction of the new system, it works in parallel):
"Unable to load MS EXCEL !!!" “Safe mode is set. Operation is prohibited "
In external processing, it looks like this:
The developer should set it to "False" in the internal processing description, then everything will be fine:
ExternalProcessingData Function () Export RegistrationParameters = New Structure; Registration Parameters.Insert ("SafeMode", False);
When updating the configuration, warning text also appeared about the source from which the configuration file was obtained:
When you start the program Uploading documents as a regular user, the error "Safe mode is set. Operation is prohibited."
This complexity arises because not enough rights to start external processing. To set up access rights, go to the database in 1C Enterprise mode on behalf of Administrator and go to section User and rights settings / Access group profiles, click To create a group.
Enter the name of the group and check the boxes available to users of this group of roles -
- Interactive opening of external reports and processors
- Using additional reports and processing
Click on Burn and close
Return to the Users menu and select from the list the employee who will work with the Download Documents program. Click Permissions. In the list of profiles, mark the previously created profile. Click on Write down.
It is recommended to add Document Upload to the list of external processors so that users can start processing. For this in the menu Administration / Printing forms and processing / Additional reports and processing create a new treatment. Browse to and name the LoadDocuments.epf file. Specify the location of the processing in the menu from where the user can launch it in the future, for example, select the menu Directories
By clicking on the Quick access item, you indicate which of the users has access to processing:
After setting, click Burn and close... To start processing, users will just need to re-enter the database and open it from the access menu (in the example, References) and click Execute.
Open up Menu - All functions ..... and find the Security Profiles in use option in the list.
It is enough to uncheck the "Security profiles are used" option.
After that, the program will start successfully.
With the release of platform 8.3.9.2033, a new mechanism has appeared "Protection against dangerous actions".
Thanks to this innovation, 1C -ka now began to swear at the opening of processing (and not only):
Security warning
Opens "My external processing" from the file "My_External_Processing.epf"
It is recommended to pay attention to the source from which this file is obtained. If there is no agreement with the source about the development of additional modules, or there are doubts about the contents of the file, then it is not recommended to open it, as this may harm the computer and data.
Do you want to allow this file to be opened?
So 1C decided to fight against malicious code!
Where this "malicious code" will come from at the enterprise is still a mystery)
Potentially dangerous actions included:
- Loading an external report, processing or expanding the configuration.
- Load or update configuration / extension.
- Access from an external report / processing or extension to the following features:
- Operating system command execution.
- User management (recording or deleting information about an infobase user).
- Calling the Connect () method of the external processors (reports) manager.
- Calling the ConfigurationExtension.Write () method.
- Working with COM objects.
How can this "miracle" be turned off?
To do this, you need to run 1C Enterprise in the configurator mode.
Select the "Administration" - "Users" menu.
In the opened window of our users, you need to open the user settings window and on the "Basic" tab remove the checkbox "Protection against dangerous actions"
There are other ways to turn this off:
The ability to specify a list of infobases has been implemented, when working with which protection against dangerous actions will be disabled.
The DisableUnsafeActionProtection parameter in the conf.cfg file is responsible for this function, which allows you to disable the protection mechanism against dangerous actions for all users of certain infobases whose connection strings satisfy the masks specified in the DisableUnsafeActionProtection parameter.
In this parameter, you can specify several masks separated by the ";" symbol, for example:
DisableUnsafeActionProtection = test _. *; Stage _. *;
In addition, protection against dangerous user actions can be disabled programmatically, for which there are the following parameters and properties:
- Parameter Protection from dangerous actions of methods Connect () managers of external processing (reports)
- The HazardousActionProtection property of theConfigurationExtension object before calling the Write () method of this object.
Checking the need to use protection against dangerous actions is performed in the following order:
1. If the "Protection against dangerous actions" checkbox is cleared for the current user, then the protection is considered disabled.
2. If the infobase connection string matches one of the templates specified in the DisableUnsafeActionProtection parameter of the conf.cfg file, then protection is considered disabled.
3. If protection is explicitly disabled using the AntiDangerousActions parameter of an external processing or report.
4. If protection is explicitly disabled using the AntiDangerousActions extension property.
External processing is programmatically opened using the ExternalProcessing global context object, which has the type ExternalProcessingManager... For each operating mode of the 1C platform (normal application mode and managed application mode), various object methods are used to work with external processing.
Start external processing in normal application mode
In a typical application, you must use the Create () method of the ExternalProcessing object, which is passed the full name of the external processing file. The method returns an object of type External Processing, this object is the external processing being opened. If you need to open an external processing form, then call the GetForm () method on the resulting object, which will return the main form, and then call the Open () method to open it.Processing = ExternalProcessing.Create (FullFileName);
Processing.GetForm (). Open ();
In external processors, the main form must always be a regular form, and the managed form must always be an additional one, otherwise the GetForm () method will not work in the normal application mode.
Starting external processing in managed application mode
In managed forms mode, a split of the algorithm by execution context appears. On the client, we get binary data by the full name of the external processing file. We transfer the received binary data to the server and put it in temporary storage. Next, you need to call the Connect () method of the ExternalProcessing object, to which the address to the temporary storage is passed. The method returns the name of the connected external processing. We return the name of the external processing to the client, form a string path to the processing form and use the OpenForm () method to open the external processing form.&On server
GetExternalProcessingName Function (BinaryData)
AddressToTemporaryStorage = PutToTemporalStore (BinaryData);
Return ExternalProcessing.Connect (AddressInTemporaryStorage);
EndFunction
& OnClient
FullFileName = ""; // Full name of the external processing file.
FileData = New BinaryData (FullFileName);
ExternalProcessingName = GetExternalProcessingName (FileData);
OpenForm ("ExternalProcessing." + ExternalProcessingName + ".Form");
Safe mode for external treatments
The Create () and Connect () methods of the ExternalProcessing object have an input parameter SafeMode - a sign of connecting external processing in safe mode. If the parameter is not specified, the connection will be made in safe mode.Safe mode is designed to protect the system from executing "untrusted" program code on the server. Potential danger is external processing or program code entered by the user for use in the Execute () and Calculate () methods.
Safe mode has the following restrictions:
- privileged mode is canceled if it was set;
- attempts to enter privileged mode are ignored;
- operations with COM objects are prohibited;
- loading and connecting external components is prohibited;
- access to the file system is denied (except for temporary files);
- Internet access is denied.
To prohibit the interactive opening of processing, in all roles assigned to the user, you must remove the "Open external processing interactively" right (see Figure 1).
| Figure 1. Rights of interactive opening of external processings / reports |
Opening external reports programmatically, similar to external processors, you should only use the External Reports global context object, which has the type ExternalReportManager.
The fact is that when using the client-server version of 1C operation, external processing / reports are opened in safe mode, in which the use of privileged mode is prohibited. And the privileged mode is used very often in typical configurations: the formation of printed forms, various service checks (registration of exchanges), etc. As a result, even using a regular report on the ACS without a form (by default, the general "Report Form" form is used) and saving the custom report settings (to the corresponding reference), you will receive an error about insufficient access rights to various constants and session parameters used for service purposes after the line SetPrivilegedMode (True);
The "correct" solution would be to connect external processes and reports through the mechanisms of the BSP "Additional reports and processing" with disabling the safe mode or adding permissions (in my opinion, from the BSP version 2.2.2.1). But if, for some reason, it is necessary to use external report / processing files, then you can configure a cluster security profile that is used as a safe mode security profile for a specific infobase.
I would like to note right away that this option is not preferable, but due to various circumstances, it can be used in such a simplified form. For example, I have several bases in different cities, a common local sit down with strictly limited rights, closed USB, etc., somewhere I use Accounting 2.0, and somewhere 3.0, I make almost all reports using ACS without forms, so that they opened in both versions. Serving all these reports for different versions and different databases is a time consuming and unpromising business. plans include a transition to a single configuration and base ...
We create a profile.
In the cluster console, create a security profile in which we set flags "Can be used as a safe mode security profile" and "under" Full Control Allowed: " "to privileged mode".
In many cases of using reports and simple processing, this method will be applicable. For more complex situations, it makes no sense to describe the process, because it is stated in the documentation (the ability to customize security profiles for specific external files by specifying its hash, etc.).
P.S. I thought that security profiles function only when using licenses for the platform and server of the CORP level, but this functionality is also fulfilled on the 1C: Enterprise 8.3 platform (conditionally, you can call PROF by analogy with typical configurations Basic / PROF / CORP)
