diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2009-03-16 08:29:35 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2009-03-16 08:29:35 +0000 |
| commit | 2c3ab56a424aa66dab4e00ff2dbc193a7280b059 (patch) | |
| tree | 155ae8e4c1b9dd76893cb86cb733917647508357 | |
| parent | c05a1103e73a54e3046c5aafc5daaa0c72d460f2 (diff) | |
Move security into the constructor. Protecting the index() call is easily bypassed.
| -rw-r--r-- | core/controllers/scaffold.php | 16 |
1 files changed, 8 insertions, 8 deletions
diff --git a/core/controllers/scaffold.php b/core/controllers/scaffold.php index 2454b400..beba7f3c 100644 --- a/core/controllers/scaffold.php +++ b/core/controllers/scaffold.php @@ -20,16 +20,16 @@ class Scaffold_Controller extends Template_Controller { public $template = "scaffold.html"; - function index() { - try { - $session = Session::instance(); - } catch (Exception $e) { + public function __construct($theme=null) { + if (!(user::active()->admin)) { + throw new Exception("@todo UNAUTHORIZED", 401); } + parent::__construct(); + } + + function index() { + $session = Session::instance(); - if (!user::active()->admin) { - throw new Exception("@todo FORBIDDEN", 503); - } - set_error_handler(array("Scaffold_Controller", "_error_handler")); try { $this->template->album_count = ORM::factory("item")->where("type", "album")->count_all(); |