From 1ada27916fa4575f6b093db17f4165d8cce16088 Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Thu, 11 Feb 2010 05:24:16 -0800 Subject: Use the admin/users/edit_user_form version of the user editing form right after initial install so that we're not requiring the user to re-enter the auto-generated password to change their password and email. Fixes ticket #1007 --- modules/gallery/views/welcome_message.html.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'modules/gallery') diff --git a/modules/gallery/views/welcome_message.html.php b/modules/gallery/views/welcome_message.html.php index caeeff66..4d6ed726 100644 --- a/modules/gallery/views/welcome_message.html.php +++ b/modules/gallery/views/welcome_message.html.php @@ -15,12 +15,15 @@

- id}") ?>" + id}") ?>" title="for_html_attr() ?>" id="g-after-install-change-password-link" class="g-button ui-state-default ui-corners-all"> +

-- cgit v1.2.3 From 6353a7c2decd62098ebc96951c38c9aade44fc4c Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Thu, 11 Feb 2010 14:28:32 -0800 Subject: Security: Fix leaking of album / photo names. Reject previous fix for ticket 1009. Side effect: Renaming auth::required_login() to login_page(). --- modules/gallery/controllers/albums.php | 12 +++++++++--- modules/gallery/controllers/movies.php | 7 ++----- modules/gallery/controllers/photos.php | 11 ++++------- modules/gallery/helpers/access.php | 7 ++++++- modules/gallery/helpers/auth.php | 7 ++++--- 5 files changed, 25 insertions(+), 19 deletions(-) (limited to 'modules/gallery') diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index e1985cfb..c2b474ee 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -26,12 +26,18 @@ class Albums_Controller extends Items_Controller { if (!is_object($album)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } if (!access::can("view", $album)) { - print auth::require_login(); - return; + if ($album->id == 1) { + // Even show the login page to logged in users. + // It's a better user experience than a "Dang" error page. + print auth::login_page(); + return; + } else { + access::required("view", $album); + } } $page_size = module::get_var("gallery", "page_size", 9); diff --git a/modules/gallery/controllers/movies.php b/modules/gallery/controllers/movies.php index 8041066e..78a56e81 100644 --- a/modules/gallery/controllers/movies.php +++ b/modules/gallery/controllers/movies.php @@ -22,13 +22,10 @@ class Movies_Controller extends Items_Controller { if (!is_object($movie)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } - if (!access::can("view", $movie)) { - print auth::require_login(); - return; - } + access::required("view", $movie); $where = array(array("type", "!=", "album")); $position = $movie->parent()->get_position($movie, $where); diff --git a/modules/gallery/controllers/photos.php b/modules/gallery/controllers/photos.php index 778e9ae7..f2d47eec 100644 --- a/modules/gallery/controllers/photos.php +++ b/modules/gallery/controllers/photos.php @@ -22,14 +22,11 @@ class Photos_Controller extends Items_Controller { if (!is_object($photo)) { // show() must be public because we route to it in url::parse_url(), so make // sure that we're actually receiving an object - Kohana::show_404(); + throw new Kohana_404_Exception(); } - - if (!access::can("view", $photo)) { - print auth::require_login(); - return; - } - + + access::required("view", $photo); + $where = array(array("type", "!=", "album")); $position = $photo->parent()->get_position($photo, $where); if ($position > 1) { diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 29b981e8..7e8b079a 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -118,7 +118,12 @@ class access_Core { */ static function required($perm_name, $item) { if (!self::can($perm_name, $item)) { - self::forbidden(); + if ($perm_name == "view") { + // Treat as if the item didn't exist, don't leak any information. + throw new Kohana_404_Exception(); + } else { + self::forbidden(); + } } } diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php index f5454f85..8b0ce470 100644 --- a/modules/gallery/helpers/auth.php +++ b/modules/gallery/helpers/auth.php @@ -132,15 +132,16 @@ class auth_Core { } /** - * Redirect to the login page. + * Returns the themed login page. */ - static function require_login() { + static function login_page($continue_url=null) { $view = new Theme_View("page.html", "other", "login"); $view->page_title = t("Log in to Gallery"); $view->content = new View("login_ajax.html"); $view->content->form = auth::get_login_form("login/auth_html"); // Avoid anti-phishing protection by passing the url as session variable. - Session::instance()->set("continue_url", url::current(true)); + $continue_url or $continue_url = url::current(true); + Session::instance()->set("continue_url", $continue_url); return $view; } } \ No newline at end of file -- cgit v1.2.3