diff options
| author | Chad Kieffer <ckieffer@gmail.com> | 2009-06-02 22:55:23 -0600 |
|---|---|---|
| committer | Chad Kieffer <ckieffer@gmail.com> | 2009-06-02 22:55:23 -0600 |
| commit | 1df6db45dc569cc6f18a9d1622fce5ebe62f8d30 (patch) | |
| tree | e4e8cac619bc2443c3e26d0f87a25c51f8a3b273 /modules/gallery/controllers/albums.php | |
| parent | 2bd8051c28621f6c25a3f85b73da2f94d62440f2 (diff) | |
| parent | dde5fb96ee9db5a67b286ea4ac4f35190453a6ef (diff) | |
Merge branch 'master' of git@github.com:gallery/gallery3
Diffstat (limited to 'modules/gallery/controllers/albums.php')
| -rw-r--r-- | modules/gallery/controllers/albums.php | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 5ccadb37..efde4f09 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -24,11 +24,11 @@ class Albums_Controller extends Items_Controller { */ public function _show($album) { if (!access::can("view", $album)) { - if ($album->id != 1) { - access::forbidden(); - } else { + if ($album->id == 1) { print new Theme_View("login_page.html", "album"); return; + } else { + access::forbidden(); } } @@ -77,6 +77,8 @@ class Albums_Controller extends Items_Controller { * @see REST_Controller::_create($resource) */ public function _create($album) { + access::verify_csrf(); + access::required("view", $album); access::required("add", $album); switch ($this->input->post("type")) { @@ -92,6 +94,7 @@ class Albums_Controller extends Items_Controller { } private function _create_album($album) { + access::required("view", $album); access::required("add", $album); $form = album::get_add_form($album); @@ -120,6 +123,7 @@ class Albums_Controller extends Items_Controller { } private function _create_photo($album) { + access::required("view", $album); access::required("add", $album); // If we set the content type as JSON, it triggers saving the result as @@ -153,6 +157,8 @@ class Albums_Controller extends Items_Controller { * @see REST_Controller::_update($resource) */ public function _update($album) { + access::verify_csrf(); + access::required("view", $album); access::required("edit", $album); $form = album::get_edit_form($album); @@ -202,6 +208,7 @@ class Albums_Controller extends Items_Controller { */ public function _form_add($album_id) { $album = ORM::factory("item", $album_id); + access::required("view", $album); access::required("add", $album); switch ($this->input->get("type")) { @@ -223,6 +230,7 @@ class Albums_Controller extends Items_Controller { * @see REST_Controller::_form_add($parameters) */ public function _form_edit($album) { + access::required("view", $album); access::required("edit", $album); print album::get_edit_form($album); |