From bbbb35675acefc6b0b1b78dea9fd3a983189d772 Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Fri, 11 Jun 2010 15:40:54 -0700 Subject: Fix for ticket #1039. The problem was, as Bryan76 pointed out, with passing the full url in the continue parameter. In the logout controller, we tried to get the item from the url so we could check the permission of the item to insure that the guest user had access. But url::get_item_from_url expects a relative url. --- modules/gallery/controllers/logout.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers/logout.php') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index 967dad49..fdbadf1b 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -22,13 +22,16 @@ class Logout_Controller extends Controller { access::verify_csrf(); auth::logout(); if ($continue_url = Input::instance()->get("continue")) { - $item = url::get_item_from_uri($continue_url); + $components = explode("/", parse_url($continue_url, PHP_URL_PATH), 4); + $item = url::get_item_from_uri($components[3]); if (access::can("view", $item)) { // Don't use url::redirect() because it'll call url::site() and munge the continue url. - header("Location: $continue_url"); + header("Location: {$item->relative_url()}"); } else { url::redirect(item::root()->abs_url()); } + } else { + url::redirect(item::root()->abs_url()); } } } \ No newline at end of file -- cgit v1.2.3 From 63d95087bf0f24d4e880843cd2841906c6f91b38 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 13:35:12 -0700 Subject: Stop trying to parse the continue url in the logout controller because it requires us to reproduce a bunch of complex routing logic. Instead, just have the logout link generating code generate a link that's visible to guests. --- modules/gallery/controllers/logout.php | 12 ++---------- modules/gallery/helpers/gallery_event.php | 13 ++++++++++++- 2 files changed, 14 insertions(+), 11 deletions(-) (limited to 'modules/gallery/controllers/logout.php') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index fdbadf1b..9caafec8 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -22,16 +22,8 @@ class Logout_Controller extends Controller { access::verify_csrf(); auth::logout(); if ($continue_url = Input::instance()->get("continue")) { - $components = explode("/", parse_url($continue_url, PHP_URL_PATH), 4); - $item = url::get_item_from_uri($components[3]); - if (access::can("view", $item)) { - // Don't use url::redirect() because it'll call url::site() and munge the continue url. - header("Location: {$item->relative_url()}"); - } else { - url::redirect(item::root()->abs_url()); - } - } else { - url::redirect(item::root()->abs_url()); + url::redirect($continue_url); } + url::redirect(item::root()->abs_url()); } } \ No newline at end of file diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index ae7131ae..1b688843 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -157,11 +157,22 @@ class gallery_event_Core { ->view("login_current_user.html") ->url(user_profile::url($user->id)) ->label($user->display_name())); + + if (isset($theme->item)) { + if (access::user_can(identity::guest(), "view", $theme->item)) { + $continue_url = $theme->item->abs_url(); + } else { + $continue_url = item::root()->abs_url(); + } + } else { + $continue_url = url::abs_current(); + } + $menu->append(Menu::factory("link") ->id("user_menu_logout") ->css_id("g-logout-link") ->url(url::site("logout?csrf=$csrf&continue=" . - urlencode(url::abs_current()))) + urlencode($continue_url))) ->label(t("Logout"))); } } -- cgit v1.2.3 From c026da85cdbac9e9566045f8de2718cae985f0ec Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 12 Jun 2010 15:10:34 -0700 Subject: Use "continue_url" instead of "continue" for consistency with the reauth code. --- modules/gallery/controllers/logout.php | 2 +- modules/gallery/helpers/gallery_event.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers/logout.php') diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php index 9caafec8..20fa8074 100644 --- a/modules/gallery/controllers/logout.php +++ b/modules/gallery/controllers/logout.php @@ -21,7 +21,7 @@ class Logout_Controller extends Controller { public function index() { access::verify_csrf(); auth::logout(); - if ($continue_url = Input::instance()->get("continue")) { + if ($continue_url = Input::instance()->get("continue_url")) { url::redirect($continue_url); } url::redirect(item::root()->abs_url()); diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php index 1b688843..55db47ce 100644 --- a/modules/gallery/helpers/gallery_event.php +++ b/modules/gallery/helpers/gallery_event.php @@ -171,7 +171,7 @@ class gallery_event_Core { $menu->append(Menu::factory("link") ->id("user_menu_logout") ->css_id("g-logout-link") - ->url(url::site("logout?csrf=$csrf&continue=" . + ->url(url::site("logout?csrf=$csrf&continue_url=" . urlencode($continue_url))) ->label(t("Logout"))); } -- cgit v1.2.3