From 6353a7c2decd62098ebc96951c38c9aade44fc4c Mon Sep 17 00:00:00 2001
From: Andy Staudacher <andy.st@gmail.com>
Date: Thu, 11 Feb 2010 14:28:32 -0800
Subject: Security: Fix leaking of album / photo names. Reject previous fix for
 ticket 1009. Side effect: Renaming auth::required_login() to login_page().

---
 modules/gallery/controllers/photos.php | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

(limited to 'modules/gallery/controllers/photos.php')

diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php
index 778e9ae7..f2d47eec 100644
--- a/modules/gallery/controllers/photos.php
+++ b/modules/gallery/controllers/photos.php
@@ -22,14 +22,11 @@ class Photos_Controller extends Items_Controller {
     if (!is_object($photo)) {
       // show() must be public because we route to it in url::parse_url(), so make
       // sure that we're actually receiving an object
-      Kohana::show_404();
+      throw new Kohana_404_Exception();
     }
-
-    if (!access::can("view", $photo)) {
-      print auth::require_login();
-      return;
-    }
-
+  
+    access::required("view", $photo);
+  
     $where = array(array("type", "!=", "album"));
     $position = $photo->parent()->get_position($photo, $where);
     if ($position > 1) {
-- 
cgit v1.2.3