ENHANCEMENT Only logging out users on Security::permissionFailure() is called in non-ajax context. For ajax requests, we now return a 403 HTTP Status in a HTTPResponse Object, with a ":NOTLOGGEDIN" body for backwards compatibility. If a logout+redirection is required after an ajax-request, this should be handled by the clientside.

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@65147 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2008-11-03 13:50:06 +00:00
parent c998006b2c
commit c4f3bc962f

View File

@ -140,66 +140,67 @@ class Security extends Controller {
* access the item. * access the item.
*/ */
static function permissionFailure($controller = null, $messageSet = null) { static function permissionFailure($controller = null, $messageSet = null) {
// Prepare the messageSet provided
if(!$messageSet) {
if(self::$default_message_set) {
$messageSet = self::$default_message_set;
} else {
$messageSet = array(
'default' => _t(
'Security.NOTEPAGESECURED',
"That page is secured. Enter your credentials below and we will send you right along."
),
'alreadyLoggedIn' => _t(
'Security.ALREADYLOGGEDIN',
"You don't have access to this page. If you have another account that can access that page, you can log in below."
),
'logInAgain' => _t(
'Security.LOGGEDOUT',
"You have been logged out. If you would like to log in again, enter your credentials below."
)
);
}
}
if(!is_array($messageSet)) {
$messageSet = array('default' => $messageSet);
}
// Work out the right message to show
if(Member::currentUserID()) {
// user_error( 'PermFailure with member', E_USER_ERROR );
$message = isset($messageSet['alreadyLoggedIn'])
? $messageSet['alreadyLoggedIn']
: $messageSet['default'];
if($member = Member::currentUser())
$member->logout();
} else if(substr(Director::history(),0,15) == 'Security/logout') {
$message = $messageSet['logInAgain']
? $messageSet['logInAgain']
: $messageSet['default'];
} else {
$message = $messageSet['default'];
}
Session::set("Security.Message.message", $message);
Session::set("Security.Message.type", 'warning');
Session::set("BackURL", $_SERVER['REQUEST_URI']);
// TODO AccessLogEntry needs an extension to handle permission denied errors
// Audit logging hook
if($controller) $controller->extend('permissionDenied', $member);
// AccessLogEntry::create("Permission to access {$name} denied");
if(Director::is_ajax()) { if(Director::is_ajax()) {
die('NOTLOGGEDIN:'); $response = ($controller) ? $controller->getResponse() : new HTTPResponse();
$response->setStatusCode(403);
$response->setBody('NOTLOGGEDIN:');
return $response;
} else { } else {
// Prepare the messageSet provided
if(!$messageSet) {
if(self::$default_message_set) {
$messageSet = self::$default_message_set;
} else {
$messageSet = array(
'default' => _t(
'Security.NOTEPAGESECURED',
"That page is secured. Enter your credentials below and we will send you right along."
),
'alreadyLoggedIn' => _t(
'Security.ALREADYLOGGEDIN',
"You don't have access to this page. If you have another account that can access that page, you can log in below."
),
'logInAgain' => _t(
'Security.LOGGEDOUT',
"You have been logged out. If you would like to log in again, enter your credentials below."
)
);
}
}
if(!is_array($messageSet)) {
$messageSet = array('default' => $messageSet);
}
// Work out the right message to show
if(Member::currentUserID()) {
// user_error( 'PermFailure with member', E_USER_ERROR );
$message = isset($messageSet['alreadyLoggedIn'])
? $messageSet['alreadyLoggedIn']
: $messageSet['default'];
if($member = Member::currentUser())
$member->logout();
} else if(substr(Director::history(),0,15) == 'Security/logout') {
$message = $messageSet['logInAgain']
? $messageSet['logInAgain']
: $messageSet['default'];
} else {
$message = $messageSet['default'];
}
Session::set("Security.Message.message", $message);
Session::set("Security.Message.type", 'warning');
Session::set("BackURL", $_SERVER['REQUEST_URI']);
// TODO AccessLogEntry needs an extension to handle permission denied errors
// Audit logging hook
if($controller) $controller->extend('permissionDenied', $member);
Director::redirect("Security/login"); Director::redirect("Security/login");
} }
return; return;