diff --git a/code/controllers/CommentingController.php b/code/controllers/CommentingController.php index 45d330b..107046e 100644 --- a/code/controllers/CommentingController.php +++ b/code/controllers/CommentingController.php @@ -20,6 +20,7 @@ class CommentingController extends Controller { private $baseClass = ""; private $ownerRecord = ""; private $ownerController = ""; + protected $fallbackReturnURL = null; public function setBaseClass($class) { $this->baseClass = $class; @@ -132,7 +133,9 @@ class CommentingController extends Controller { public function delete() { $comment = $this->getComment(); if(!$comment) return $this->httpError(404); - if(!$comment->canDelete()) return $this->httpError(403); + if(!$comment->canDelete()) { + return Security::permissionFailure($this, 'You do not have permission to delete this comment'); + } if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); $comment->delete(); @@ -148,7 +151,9 @@ class CommentingController extends Controller { public function spam() { $comment = $this->getComment(); if(!$comment) return $this->httpError(404); - if(!$comment->canEdit()) return $this->httpError(403); + if(!$comment->canEdit()) { + return Security::permissionFailure($this, 'You do not have permission to edit this comment'); + } if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); $comment->IsSpam = true; @@ -166,7 +171,9 @@ class CommentingController extends Controller { public function ham() { $comment = $this->getComment(); if(!$comment) return $this->httpError(404); - if(!$comment->canEdit()) return $this->httpError(403); + if(!$comment->canEdit()) { + return Security::permissionFailure($this, 'You do not have permission to edit this comment'); + } if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); $comment->IsSpam = false; @@ -184,7 +191,9 @@ class CommentingController extends Controller { public function approve() { $comment = $this->getComment(); if(!$comment) return $this->httpError(404); - if(!$comment->canEdit()) return $this->httpError(403); + if(!$comment->canEdit()) { + return Security::permissionFailure($this, 'You do not have permission to approve this comment'); + } if(!$comment->getSecurityToken()->checkRequest($this->request)) return $this->httpError(400); $comment->IsSpam = false; @@ -209,6 +218,7 @@ class CommentingController extends Controller { $comment = DataObject::get_by_id('Comment', $id); if($comment) { + $this->fallbackReturnURL = $comment->Link(); return $comment; } } @@ -420,4 +430,35 @@ class CommentingController extends Controller { return $this->doPostComment($data, $form); } + + public function redirectBack() { + // Don't cache the redirect back ever + HTTP::set_cache_age(0); + + $url = null; + + // In edge-cases, this will be called outside of a handleRequest() context; in that case, + // redirect to the homepage - don't break into the global state at this stage because we'll + // be calling from a test context or something else where the global state is inappropraite + if($this->request) { + if($this->request->requestVar('BackURL')) { + $url = $this->request->requestVar('BackURL'); + } else if($this->request->isAjax() && $this->request->getHeader('X-Backurl')) { + $url = $this->request->getHeader('X-Backurl'); + } else if($this->request->getHeader('Referer')) { + $url = $this->request->getHeader('Referer'); + } + } + + if(!$url) $url = $this->fallbackReturnURL; + if(!$url) $url = Director::baseURL(); + + // absolute redirection URLs not located on this site may cause phishing + if(Director::is_site_url($url)) { + return $this->redirect($url); + } else { + return false; + } + + } } diff --git a/tests/CommentsTest.php b/tests/CommentsTest.php index 1b1e160..e237e47 100644 --- a/tests/CommentsTest.php +++ b/tests/CommentsTest.php @@ -95,7 +95,7 @@ class CommentsTest extends FunctionalTest { $comment = $this->objFromFixture('Comment', 'firstComA'); $commentID = $comment->ID; $this->assertFalse($comment->DeleteLink(), 'No permission to see delete link'); - $delete = $this->get('CommentingController/delete/'.$comment->ID); + $delete = $this->get('CommentingController/delete/'.$comment->ID.'?ajax=1'); $this->assertEquals(403, $delete->getStatusCode()); $check = DataObject::get_by_id('Comment', $commentID); $this->assertTrue($check && $check->exists()); @@ -134,7 +134,7 @@ class CommentsTest extends FunctionalTest { $comment = $this->objFromFixture('Comment', 'firstComA'); $commentID = $comment->ID; $this->assertFalse($comment->SpamLink(), 'No permission to see mark as spam link'); - $spam = $this->get('CommentingController/spam/'.$comment->ID); + $spam = $this->get('CommentingController/spam/'.$comment->ID.'?ajax=1'); $this->assertEquals(403, $spam->getStatusCode()); $check = DataObject::get_by_id('Comment', $commentID); $this->assertEquals(0, $check->IsSpam, 'No permission to mark as spam'); @@ -176,7 +176,7 @@ class CommentsTest extends FunctionalTest { $comment = $this->objFromFixture('Comment', 'secondComC'); $commentID = $comment->ID; $this->assertFalse($comment->HamLink(), 'No permission to see mark as ham link'); - $ham = $this->get('CommentingController/ham/'.$comment->ID); + $ham = $this->get('CommentingController/ham/'.$comment->ID.'?ajax=1'); $this->assertEquals(403, $ham->getStatusCode()); $check = DataObject::get_by_id('Comment', $commentID); $this->assertEquals(1, $check->IsSpam, 'No permission to mark as ham'); @@ -218,7 +218,7 @@ class CommentsTest extends FunctionalTest { $comment = $this->objFromFixture('Comment', 'secondComB'); $commentID = $comment->ID; $this->assertFalse($comment->ApproveLink(), 'No permission to see approve link'); - $approve = $this->get('CommentingController/approve/'.$comment->ID); + $approve = $this->get('CommentingController/approve/'.$comment->ID.'?ajax=1'); $this->assertEquals(403, $approve->getStatusCode()); $check = DataObject::get_by_id('Comment', $commentID); $this->assertEquals(0, $check->Moderated, 'No permission to approve');