summaryrefslogtreecommitdiff
path: root/modules/gallery/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'modules/gallery/controllers')
-rw-r--r--modules/gallery/controllers/admin.php14
-rw-r--r--modules/gallery/controllers/admin_maintenance.php9
-rw-r--r--modules/gallery/controllers/albums.php15
-rw-r--r--modules/gallery/controllers/login.php5
-rw-r--r--modules/gallery/controllers/movies.php6
-rw-r--r--modules/gallery/controllers/photos.php6
-rw-r--r--modules/gallery/controllers/reauthenticate.php73
7 files changed, 103 insertions, 25 deletions
diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php
index e4216991..7706e9fc 100644
--- a/modules/gallery/controllers/admin.php
+++ b/modules/gallery/controllers/admin.php
@@ -21,7 +21,7 @@ class Admin_Controller extends Controller {
private $theme;
public function __construct($theme=null) {
- if (!(identity::active_user()->admin)) {
+ if (!identity::active_user()->admin) {
access::forbidden();
}
@@ -29,6 +29,10 @@ class Admin_Controller extends Controller {
}
public function __call($controller_name, $args) {
+ if (auth::must_reauth_for_admin_area()) {
+ return self::_prompt_for_reauth($controller_name, $args);
+ }
+
if (request::method() == "post") {
access::verify_csrf();
}
@@ -49,5 +53,13 @@ class Admin_Controller extends Controller {
call_user_func_array(array(new $controller_name, $method), $args);
}
+
+ private static function _prompt_for_reauth($controller_name, $args) {
+ if (request::method() == "get" && !request::is_ajax()) {
+ // Avoid anti-phishing protection by passing the url as session variable.
+ Session::instance()->set("continue_url", url::current(true));
+ }
+ url::redirect("reauthenticate");
+ }
}
diff --git a/modules/gallery/controllers/admin_maintenance.php b/modules/gallery/controllers/admin_maintenance.php
index 8e4845a9..d90fe0ea 100644
--- a/modules/gallery/controllers/admin_maintenance.php
+++ b/modules/gallery/controllers/admin_maintenance.php
@@ -46,15 +46,6 @@ class Admin_Maintenance_Controller extends Admin_Controller {
->where("done", "=", 0)->order_by("updated", "DESC")->find_all();
$view->content->finished_tasks = ORM::factory("task")
->where("done", "=", 1)->order_by("updated", "DESC")->find_all();
- $task_buttons =
- new ArrayObject(array((object)array("text" => t("run"),
- "url" =>url::site("admin/maintenance/start"))));
- module::event("admin_maintenance_task_buttons", $task_buttons);
- $view->content->task_buttons = $task_buttons;
-
- $maintenance_content = new ArrayObject();
- module::event("admin_maintenance_content", $maintenance_content);
- $view->content->task_maintenance_content = $maintenance_content;
print $view;
}
diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php
index a378f3ee..e1985cfb 100644
--- a/modules/gallery/controllers/albums.php
+++ b/modules/gallery/controllers/albums.php
@@ -28,20 +28,13 @@ class Albums_Controller extends Items_Controller {
// sure that we're actually receiving an object
Kohana::show_404();
}
- $page_size = module::get_var("gallery", "page_size", 9);
+
if (!access::can("view", $album)) {
- if ($album->id == 1) {
- $view = new Theme_View("page.html", "other", "login");
- $view->page_title = t("Log in to Gallery");
- $view->content = new View("login_ajax.html");
- $view->content->form = auth::get_login_form("login/auth_html");
- print $view;
- return;
- } else {
- access::forbidden();
- }
+ print auth::require_login();
+ return;
}
+ $page_size = module::get_var("gallery", "page_size", 9);
$input = Input::instance();
$show = $input->get("show");
diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php
index 1426f0d8..093c15da 100644
--- a/modules/gallery/controllers/login.php
+++ b/modules/gallery/controllers/login.php
@@ -44,9 +44,10 @@ class Login_Controller extends Controller {
public function auth_html() {
access::verify_csrf();
+ $continue_url = Session::instance()->get("continue_url", null);
list ($valid, $form) = $this->_auth("login/auth_html");
if ($valid) {
- url::redirect(item::root()->abs_url());
+ url::redirect($continue_url ? $continue_url : item::root()->abs_url());
} else {
$view = new Theme_View("page.html", "other", "login");
$view->page_title = t("Log in to Gallery");
@@ -65,7 +66,7 @@ class Login_Controller extends Controller {
$form->login->inputs["name"]->add_error("invalid_login", 1);
$name = $form->login->inputs["name"]->value;
log::warning("user", t("Failed login for %name", array("name" => $name)));
- module::event("user_login_failed", $name);
+ module::event("user_auth_failed", $name);
$valid = false;
}
}
diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php
index b51282b3..8041066e 100644
--- a/modules/gallery/controllers/movies.php
+++ b/modules/gallery/controllers/movies.php
@@ -24,7 +24,11 @@ class Movies_Controller extends Items_Controller {
// sure that we're actually receiving an object
Kohana::show_404();
}
- access::required("view", $movie);
+
+ if (!access::can("view", $movie)) {
+ print auth::require_login();
+ return;
+ }
$where = array(array("type", "!=", "album"));
$position = $movie->parent()->get_position($movie, $where);
diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index b5da3884..778e9ae7 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -24,7 +24,11 @@ class Photos_Controller extends Items_Controller {
// sure that we're actually receiving an object
Kohana::show_404();
}
- access::required("view", $photo);
+
+ if (!access::can("view", $photo)) {
+ print auth::require_login();
+ return;
+ }
$where = array(array("type", "!=", "album"));
$position = $photo->parent()->get_position($photo, $where);
diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
new file mode 100644
index 00000000..dbd1cd21
--- /dev/null
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -0,0 +1,73 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+class Reauthenticate_Controller extends Controller {
+ public function index($share_translations_form=null) {
+ if (!identity::active_user()->admin) {
+ access::forbidden();
+ }
+ return self::_show_form(self::_form());
+ }
+
+ public function auth() {
+ if (!identity::active_user()->admin) {
+ access::forbidden();
+ }
+ access::verify_csrf();
+
+ $form = self::_form();
+ $valid = $form->validate();
+ $user = identity::active_user();
+ if ($valid) {
+ message::success(t("Successfully re-authenticated!"));
+ module::event("user_auth", $user);
+ $continue_url = Session::instance()->get_once("continue_url", "admin");
+ url::redirect($continue_url);
+ } else {
+ $name = $user->name;
+ log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
+ module::event("user_auth_failed", $name);
+ return self::_show_form($form);
+ }
+ }
+
+ private static function _show_form($form) {
+ $view = new Theme_View("page.html", "other", "reauthenticate");
+ $view->page_title = t("Re-authenticate");
+ $view->content = new View("reauthenticate.html");
+ $view->content->form = $form;
+ $view->content->user_name = identity::active_user()->name;
+ print $view;
+ }
+
+ private static function _form() {
+ $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form"));
+ $form->set_attr('class', "g-narrow");
+ $group = $form->group("reauthenticate")->label(t("Re-authenticate"));
+ $group->password("password")->label(t("Password"))->id("g-password")->class(null)
+ ->callback("auth::validate_too_many_failed_auth_attempts")
+ ->callback("user::valid_password")
+ ->error_messages("invalid", t("Incorrect password"))
+ ->error_messages(
+ "too_many_failed_auth_attempts",
+ t("Too many incorrect passwords. Try again later"));
+ $group->submit("")->value(t("Submit"));
+ return $form;
+ }
+}
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-15 08:56:36 +0000