From f93528ffab19b7a733fc8fb21c22853d8ec0d2f5 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sun, 7 Feb 2010 15:37:32 -0800 Subject: Last partial fix for ticket 585: Compartmentalize the admin area and require active authentication every 20 minutes to access the admin area. Also renaming auth::validate_too_many_failed_password_changes to validate_too_many_failed_auth_attempts since it's used in this generalized way in 3 places now. --- modules/gallery/controllers/admin.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'modules/gallery/controllers/admin.php') diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index e4216991..b5f3db39 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -21,7 +21,7 @@ class Admin_Controller extends Controller { private $theme; public function __construct($theme=null) { - if (!(identity::active_user()->admin)) { + if (!identity::active_user()->admin) { access::forbidden(); } @@ -29,6 +29,10 @@ class Admin_Controller extends Controller { } public function __call($controller_name, $args) { + if (auth::must_reauth_for_admin_area()) { + return url::redirect("reauthenticate"); + } + if (request::method() == "post") { access::verify_csrf(); } -- cgit v1.2.3 From f9d00aa7429599f46e09b23e8313932ac5e186c3 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Mon, 8 Feb 2010 00:30:36 -0800 Subject: Fix for ticket 1008: Redirect to destination after re-auth. --- modules/gallery/controllers/admin.php | 12 +++++++++++- modules/gallery/controllers/reauthenticate.php | 3 ++- 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers/admin.php') diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index b5f3db39..5467e88a 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -30,7 +30,7 @@ class Admin_Controller extends Controller { public function __call($controller_name, $args) { if (auth::must_reauth_for_admin_area()) { - return url::redirect("reauthenticate"); + return self::_prompt_for_reauth($controller_name, $args); } if (request::method() == "post") { @@ -53,5 +53,15 @@ class Admin_Controller extends Controller { call_user_func_array(array(new $controller_name, $method), $args); } + + private static function _prompt_for_reauth($controller_name, $args) { + if (request::method() == "get" && !request::is_ajax()) { + $url_args = array("admin", $controller_name) + $args; + $continue_url = join("/", $url_args); + // Avoid anti-phishing protection by passing the url as session variable. + Session::instance()->set("continue_url", $continue_url); + } + url::redirect("reauthenticate"); + } } diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index 4b88a9cc..dbd1cd21 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -37,7 +37,8 @@ class Reauthenticate_Controller extends Controller { if ($valid) { message::success(t("Successfully re-authenticated!")); module::event("user_auth", $user); - url::redirect("admin"); + $continue_url = Session::instance()->get_once("continue_url", "admin"); + url::redirect($continue_url); } else { $name = $user->name; log::warning("user", t("Failed re-authentication for %name", array("name" => $name))); -- cgit v1.2.3 From f6c615c379bb6950dacff34bfda73a616dce6e6b Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Wed, 10 Feb 2010 08:32:30 -0800 Subject: Use the helper ulr:current instead of manually creating the continue url. --- modules/gallery/controllers/admin.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'modules/gallery/controllers/admin.php') diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php index 5467e88a..7706e9fc 100644 --- a/modules/gallery/controllers/admin.php +++ b/modules/gallery/controllers/admin.php @@ -56,10 +56,8 @@ class Admin_Controller extends Controller { private static function _prompt_for_reauth($controller_name, $args) { if (request::method() == "get" && !request::is_ajax()) { - $url_args = array("admin", $controller_name) + $args; - $continue_url = join("/", $url_args); // Avoid anti-phishing protection by passing the url as session variable. - Session::instance()->set("continue_url", $continue_url); + Session::instance()->set("continue_url", url::current(true)); } url::redirect("reauthenticate"); } -- cgit v1.2.3