diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2010-02-11 14:28:32 -0800 |
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2010-02-11 14:28:32 -0800 |
| commit | 6353a7c2decd62098ebc96951c38c9aade44fc4c (patch) | |
| tree | a8196b622c4aaa50ef91a01cc135be2eed03eb21 /modules/gallery/controllers | |
| parent | cd98f85260efd90cc93db78ee1efed997d0221c2 (diff) | |
Security: Fix leaking of album / photo names. Reject previous fix for ticket 1009.
Side effect: Renaming auth::required_login() to login_page().
Diffstat (limited to 'modules/gallery/controllers')
| -rw-r--r-- | modules/gallery/controllers/albums.php | 12 | ||||
| -rw-r--r-- | modules/gallery/controllers/movies.php | 7 | ||||
| -rw-r--r-- | modules/gallery/controllers/photos.php | 11 |
3 files changed, 15 insertions, 15 deletions
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index e1985cfb..c2b474ee 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -26,12 +26,18 @@ class Albums_Controller extends Items_Controller { if (!is_object($album)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } if (!access::can("view", $album)) { - print auth::require_login(); - return; + if ($album->id == 1) { + // Even show the login page to logged in users. + // It's a better user experience than a "Dang" error page. + print auth::login_page(); + return; + } else { + access::required("view", $album); + } } $page_size = module::get_var("gallery", "page_size", 9); diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 8041066e..78a56e81 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -22,13 +22,10 @@ class Movies_Controller extends Items_Controller { if (!is_object($movie)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } - if (!access::can("view", $movie)) { - print auth::require_login(); - return; - } + access::required("view", $movie); $where = array(array("type", "!=", "album")); $position = $movie->parent()->get_position($movie, $where); diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 778e9ae7..f2d47eec 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -22,14 +22,11 @@ class Photos_Controller extends Items_Controller { if (!is_object($photo)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } - - if (!access::can("view", $photo)) { - print auth::require_login(); - return; - } - + + access::required("view", $photo); + $where = array(array("type", "!=", "album")); $position = $photo->parent()->get_position($photo, $where); if ($position > 1) { |