diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2008-12-09 10:14:09 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2008-12-09 10:14:09 +0000 |
| commit | 4a0e4b798e6ea3341b1bbc902b9e1e5f2c96692d (patch) | |
| tree | cb4c1ea6834c455ce87d345ad5085504b78d5d88 | |
| parent | e62103b8d9463bf409881d17a4bda93f3ca3208d (diff) | |
Check view permissions before allowing view access to albums/photos.
| -rw-r--r-- | core/controllers/albums.php | 4 | ||||
| -rw-r--r-- | core/controllers/photos.php | 4 | ||||
| -rw-r--r-- | core/controllers/rest.php | 12 | ||||
| -rw-r--r-- | core/helpers/access.php | 7 |
4 files changed, 15 insertions, 12 deletions
diff --git a/core/controllers/albums.php b/core/controllers/albums.php index e684fa6b..bba7fd6e 100644 --- a/core/controllers/albums.php +++ b/core/controllers/albums.php @@ -23,6 +23,10 @@ class Albums_Controller extends Items_Controller { * @see Rest_Controller::_show($resource) */ public function _show($item) { + if (!access::can("view", $item->id)) { + return Kohana::show_404(); + } + // @todo: these need to be pulled from the database $theme_name = "default"; $page_size = 9; diff --git a/core/controllers/photos.php b/core/controllers/photos.php index 7a599f4b..8b3e81fc 100644 --- a/core/controllers/photos.php +++ b/core/controllers/photos.php @@ -23,6 +23,10 @@ class Photos_Controller extends Items_Controller { * @see Rest_Controller::_show($resource) */ public function _show($item) { + if (!access::can("view", $item->id)) { + return Kohana::show_404(); + } + // @todo: this needs to be data-driven $template = new Theme_View("page.html", "photo", "default"); diff --git a/core/controllers/rest.php b/core/controllers/rest.php index c7429f5d..c10bbcdb 100644 --- a/core/controllers/rest.php +++ b/core/controllers/rest.php @@ -81,22 +81,14 @@ abstract class REST_Controller extends Controller { return $this->_index(); } - // @todo this needs security checks - $id = $function; - $resource = ORM::factory($this->resource_type, $id); + $resource = ORM::factory($this->resource_type, $function); if (!$resource->loaded && $request_method != "post") { return Kohana::show_404(); } switch ($request_method) { case "get": - $this->_show($resource); - - if (Session::instance()->get("use_profiler", false)) { - $profiler = new Profiler(); - $profiler->render(); - } - return; + return $this->_show($resource); case "put": return $this->_update($resource); diff --git a/core/helpers/access.php b/core/helpers/access.php index f4e98082..c21583a8 100644 --- a/core/helpers/access.php +++ b/core/helpers/access.php @@ -102,12 +102,15 @@ class access_Core { throw new Exception("@todo MISSING_ACCESS for $item_id"); } + if ($access->view_0 == self::ALLOW) { + return true; + } foreach ($user->groups as $group) { if ($access->__get("{$perm_name}_{$group->id}") === self::ALLOW) { - return self::ALLOW; + return true; } } - return self::DENY; + return false; } else { return self::group_can(group::EVERYBODY, $perm_name, $item_id); } |