From 5892712b237cb1e585b2cc7a6820d2cf3a8c1a34 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Fri, 10 Sep 2010 23:01:47 -0700 Subject: If the user is not an admin, don't 403 -- instead just redirect them to the root album. Fixes ticket #1356. --- modules/gallery/controllers/reauthenticate.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php index 0486c0fe..53a96374 100644 --- a/modules/gallery/controllers/reauthenticate.php +++ b/modules/gallery/controllers/reauthenticate.php @@ -19,12 +19,19 @@ */ class Reauthenticate_Controller extends Controller { public function index() { + $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax()); if (!identity::active_user()->admin) { - access::forbidden(); + if ($is_ajax) { + // We should never be able to get here since Admin_Controller::_reauth_check() won't work + // for non-admins. + access::forbidden(); + } else { + url::redirect(item::root()->abs_url()); + } } + // On redirects from the admin controller, the ajax request indicator is lost, // so we store it in the session. - $is_ajax = Session::instance()->get_once("is_ajax_request", request::is_ajax()); if ($is_ajax) { $v = new View("reauthenticate.html"); $v->form = self::_form(); -- cgit v1.2.3 From 67f45cfa781ef4b446676e199470e421f5463812 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Sat, 11 Sep 2010 01:46:45 -0700 Subject: Add CSRF protection to the upgrader. And update the CLI output so that it tells you which modules failed to upgrade properly. Fixes ticket #1359. --- modules/gallery/controllers/upgrader.php | 21 ++++++++++++++++++--- modules/gallery/views/upgrader.html.php | 2 +- 2 files changed, 19 insertions(+), 4 deletions(-) (limited to 'modules/gallery/controllers') diff --git a/modules/gallery/controllers/upgrader.php b/modules/gallery/controllers/upgrader.php index 6613d671..b2646874 100644 --- a/modules/gallery/controllers/upgrader.php +++ b/modules/gallery/controllers/upgrader.php @@ -54,8 +54,16 @@ class Upgrader_Controller extends Controller { // @todo this may screw up some module installers, but we don't have a better answer at // this time. $_SERVER["HTTP_HOST"] = "example.com"; - } else if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { - access::forbidden(); + } else { + if (!identity::active_user()->admin && !Session::instance()->get("can_upgrade", false)) { + access::forbidden(); + } + + try { + access::verify_csrf(); + } catch (Exception $e) { + url::redirect("upgrader"); + } } $available = module::available(); @@ -87,7 +95,14 @@ class Upgrader_Controller extends Controller { site_status::clear("upgrade_now"); if (php_sapi_name() == "cli") { - print "Upgrade complete\n"; + if ($failed) { + print "Upgrade completed ** WITH FAILURES **\n"; + print "The following modules were not successfully upgraded:\n"; + print " " . implode($failed, "\n ") . "\n"; + print "Try getting newer versions or deactivating those modules\n"; + } else { + print "Upgrade complete\n"; + } } else { url::redirect("upgrader?failed=" . join(",", $failed)); } diff --git a/modules/gallery/views/upgrader.html.php b/modules/gallery/views/upgrader.html.php index c2d8a552..554cf30d 100644 --- a/modules/gallery/views/upgrader.html.php +++ b/modules/gallery/views/upgrader.html.php @@ -84,7 +84,7 @@ -- cgit v1.2.3