Security: Fix leaking of album / photo names. Reject previous fix for ticket 1009.

Side effect: Renaming auth::required_login() to login_page().
author: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:28:32 -0800
committer: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:28:32 -0800
commit: 6353a7c2decd62098ebc96951c38c9aade44fc4c (patch)
tree: a8196b622c4aaa50ef91a01cc135be2eed03eb21 /modules/gallery/controllers/albums.php
parent: cd98f85260efd90cc93db78ee1efed997d0221c2 (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index e1985cfb..c2b474ee 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -26,12 +26,18 @@ class Albums_Controller extends Items_Controller {
     if (!is_object($album)) {
       // show() must be public because we route to it in url::parse_url(), so make
       // sure that we're actually receiving an object
-      Kohana::show_404();
+      throw new Kohana_404_Exception();
     }
 
     if (!access::can("view", $album)) {
-      print auth::require_login();
-      return;
+      if ($album->id == 1) {
+        // Even show the login page to logged in users.
+        // It's a better user experience than a "Dang" error page.
+        print auth::login_page();
+        return;
+      } else {
+        access::required("view", $album);
+      }
     }
 
     $page_size = module::get_var("gallery", "page_size", 9);
author	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:28:32 -0800
committer	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:28:32 -0800
commit	6353a7c2decd62098ebc96951c38c9aade44fc4c (patch)
tree	a8196b622c4aaa50ef91a01cc135be2eed03eb21 /modules/gallery/controllers/albums.php
parent	cd98f85260efd90cc93db78ee1efed997d0221c2 (diff)