CSRF / auth fixes, golden data file checkpoint

author: Andy Staudacher <andy.st@gmail.com> 2009-09-15 21:50:48 -0700
committer: Andy Staudacher <andy.st@gmail.com> 2009-09-15 21:50:48 -0700
commit: e168e0dfae28bb56289b4debae8825c104ee69f9 (patch)
tree: 6a77e0aed4177ec9521ffe7895f98018bd03cb49 /modules
parent: 61bbe1d78c409dbc2d4af771146878f8f720959a (diff)
6 files changed, 28 insertions, 4 deletions
diff --git a/modules/gallery/controllers/permissions.php b/modules/gallery/controllers/permissions.php
index 5f4620b2..8d75862e 100644
--- a/modules/gallery/controllers/permissions.php
+++ b/modules/gallery/controllers/permissions.php
@@ -81,7 +81,7 @@ class Permissions_Controller extends Controller {
     }
   }
 
-  function _get_form($item) {
+  private function _get_form($item) {
     $view = new View("permissions_form.html");
     $view->item = $item;
     $view->groups = ORM::factory("group")->find_all();
diff --git a/modules/gallery/controllers/simple_uploader.php b/modules/gallery/controllers/simple_uploader.php
index 156d18ac..bc508319 100644
--- a/modules/gallery/controllers/simple_uploader.php
+++ b/modules/gallery/controllers/simple_uploader.php
@@ -32,6 +32,7 @@ class Simple_Uploader_Controller extends Controller {
   }
 
   public function start() {
+    access::verify_csrf();
     batch::start();
   }
 
diff --git a/modules/gallery/tests/Controller_Auth_Test.php b/modules/gallery/tests/Controller_Auth_Test.php
index e3eb4eaf..50afae8f 100644
--- a/modules/gallery/tests/Controller_Auth_Test.php
+++ b/modules/gallery/tests/Controller_Auth_Test.php
@@ -21,6 +21,10 @@ class Controller_Auth_Test extends Unit_Test_Case {
   public function find_missing_auth_test() {
     $found = array();
     foreach (glob("*/*/controllers/*.php") as $controller) {
+      if (strpos($controller, "modules/unit_test/") !== false) {
+        continue;
+      }
+
       // List of all tokens without whitespace, simplifying parsing.
       $tokens = array();
       foreach (token_get_all(file_get_contents($controller)) as $token) {
@@ -150,12 +154,12 @@ class Controller_Auth_Test extends Unit_Test_Case {
           continue;
         }
 
-        fprintf($fd, "%-60s %-20s %-21s\n",
+        fprintf($fd, "%-60s %-20s %s\n",
                 $controller, $function->name, implode("|", $flags));
       }
 
       if (strpos(basename($controller), "admin_") === 0 && !$is_admin_controller) {
-        fprintf($fd, "%-60s %-20s %-21s\n",
+        fprintf($fd, "%-60s %-20s %s\n",
                 $controller, basename($controller), "NO_ADMIN_CONTROLLER");
       }
     }
diff --git a/modules/gallery/tests/controller_auth_data.txt b/modules/gallery/tests/controller_auth_data.txt
index e69de29b..aabd2863 100644
--- a/modules/gallery/tests/controller_auth_data.txt
+++ b/modules/gallery/tests/controller_auth_data.txt
@@ -0,0 +1,17 @@
+modules/comment/controllers/admin_comments.php               queue                DIRTY_CSRF
+modules/digibug/controllers/digibug.php                      close_window         DIRTY_AUTH
+modules/gallery/controllers/combined.php                     javascript           DIRTY_AUTH
+modules/gallery/controllers/combined.php                     css                  DIRTY_AUTH
+modules/gallery/controllers/maintenance.php                  index                DIRTY_AUTH
+modules/gallery/controllers/rest.php                         form_add             DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _index               DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _create              DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _show                DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _update              DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _delete              DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _form_add            DIRTY_AUTH
+modules/gallery/controllers/rest.php                         _form_edit           DIRTY_AUTH
+modules/gallery/controllers/simple_uploader.php              start                DIRTY_AUTH
+modules/gallery/controllers/simple_uploader.php              finish               DIRTY_AUTH
+modules/user/controllers/login.php                           ajax                 DIRTY_AUTH
+modules/user/controllers/login.php                           html                 DIRTY_AUTH
diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php
index c993e374..f4f98090 100644
--- a/modules/tag/controllers/tags.php
+++ b/modules/tag/controllers/tags.php
@@ -43,6 +43,8 @@ class Tags_Controller extends REST_Controller {
   }
 
   public function _index() {
+    // Far from perfection, but at least require view permission for the root album
+    access::required("view", 1);
     print tag::cloud(30);
   }
 
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 521f82fa..0b748955 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -17,7 +17,7 @@
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
  */
-class Admin_Users_Controller extends Controller {
+class Admin_Users_Controller extends Admin_Controller {
   public function index() {
     $view = new Admin_View("admin.html");
     $view->content = new View("admin_users.html");
author	Andy Staudacher <andy.st@gmail.com>	2009-09-15 21:50:48 -0700
committer	Andy Staudacher <andy.st@gmail.com>	2009-09-15 21:50:48 -0700
commit	e168e0dfae28bb56289b4debae8825c104ee69f9 (patch)
tree	6a77e0aed4177ec9521ffe7895f98018bd03cb49 /modules
parent	61bbe1d78c409dbc2d4af771146878f8f720959a (diff)