Security: Fix leaking of album / photo names. Reject previous fix for ticket 1009.

Side effect: Renaming auth::required_login() to login_page().
author: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:28:32 -0800
committer: Andy Staudacher <andy.st@gmail.com> 2010-02-11 14:28:32 -0800
commit: 6353a7c2decd62098ebc96951c38c9aade44fc4c (patch)
tree: a8196b622c4aaa50ef91a01cc135be2eed03eb21 /modules/gallery/helpers/access.php
parent: cd98f85260efd90cc93db78ee1efed997d0221c2 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php
index 29b981e8..7e8b079a 100644
--- a/modules/gallery/helpers/access.php
+++ b/modules/gallery/helpers/access.php
@@ -118,7 +118,12 @@ class access_Core {
    */
   static function required($perm_name, $item) {
     if (!self::can($perm_name, $item)) {
-      self::forbidden();
+      if ($perm_name == "view") {
+        // Treat as if the item didn't exist, don't leak any information.
+        throw new Kohana_404_Exception();
+      } else {
+        self::forbidden();
+      }
     }
   }
author	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:28:32 -0800
committer	Andy Staudacher <andy.st@gmail.com>	2010-02-11 14:28:32 -0800
commit	6353a7c2decd62098ebc96951c38c9aade44fc4c (patch)
tree	a8196b622c4aaa50ef91a01cc135be2eed03eb21 /modules/gallery/helpers/access.php
parent	cd98f85260efd90cc93db78ee1efed997d0221c2 (diff)