mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
ENHANCEMENT Only logging out users on Security::permissionFailure() is called in non-ajax context. For ajax requests, we now return a 403 HTTP Status in a HTTPResponse Object, with a ":NOTLOGGEDIN" body for backwards compatibility. If a logout+redirection is required after an ajax-request, this should be handled by the clientside.
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@65147 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer
parent
c998006b2c
commit
c4f3bc962f
@ -140,66 +140,67 @@ class Security extends Controller {
|
||||
* access the item.
|
||||
*/
|
||||
static function permissionFailure($controller = null, $messageSet = null) {
|
||||
// Prepare the messageSet provided
|
||||
if(!$messageSet) {
|
||||
if(self::$default_message_set) {
|
||||
$messageSet = self::$default_message_set;
|
||||
} else {
|
||||
$messageSet = array(
|
||||
'default' => _t(
|
||||
'Security.NOTEPAGESECURED',
|
||||
"That page is secured. Enter your credentials below and we will send you right along."
|
||||
),
|
||||
'alreadyLoggedIn' => _t(
|
||||
'Security.ALREADYLOGGEDIN',
|
||||
"You don't have access to this page. If you have another account that can access that page, you can log in below."
|
||||
),
|
||||
'logInAgain' => _t(
|
||||
'Security.LOGGEDOUT',
|
||||
"You have been logged out. If you would like to log in again, enter your credentials below."
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
if(!is_array($messageSet)) {
|
||||
$messageSet = array('default' => $messageSet);
|
||||
}
|
||||
|
||||
// Work out the right message to show
|
||||
if(Member::currentUserID()) {
|
||||
// user_error( 'PermFailure with member', E_USER_ERROR );
|
||||
|
||||
$message = isset($messageSet['alreadyLoggedIn'])
|
||||
? $messageSet['alreadyLoggedIn']
|
||||
: $messageSet['default'];
|
||||
|
||||
if($member = Member::currentUser())
|
||||
$member->logout();
|
||||
|
||||
} else if(substr(Director::history(),0,15) == 'Security/logout') {
|
||||
$message = $messageSet['logInAgain']
|
||||
? $messageSet['logInAgain']
|
||||
: $messageSet['default'];
|
||||
|
||||
} else {
|
||||
$message = $messageSet['default'];
|
||||
}
|
||||
|
||||
Session::set("Security.Message.message", $message);
|
||||
Session::set("Security.Message.type", 'warning');
|
||||
|
||||
Session::set("BackURL", $_SERVER['REQUEST_URI']);
|
||||
|
||||
// TODO AccessLogEntry needs an extension to handle permission denied errors
|
||||
// Audit logging hook
|
||||
if($controller) $controller->extend('permissionDenied', $member);
|
||||
|
||||
// AccessLogEntry::create("Permission to access {$name} denied");
|
||||
|
||||
if(Director::is_ajax()) {
|
||||
die('NOTLOGGEDIN:');
|
||||
$response = ($controller) ? $controller->getResponse() : new HTTPResponse();
|
||||
$response->setStatusCode(403);
|
||||
$response->setBody('NOTLOGGEDIN:');
|
||||
return $response;
|
||||
} else {
|
||||
// Prepare the messageSet provided
|
||||
if(!$messageSet) {
|
||||
if(self::$default_message_set) {
|
||||
$messageSet = self::$default_message_set;
|
||||
} else {
|
||||
$messageSet = array(
|
||||
'default' => _t(
|
||||
'Security.NOTEPAGESECURED',
|
||||
"That page is secured. Enter your credentials below and we will send you right along."
|
||||
),
|
||||
'alreadyLoggedIn' => _t(
|
||||
'Security.ALREADYLOGGEDIN',
|
||||
"You don't have access to this page. If you have another account that can access that page, you can log in below."
|
||||
),
|
||||
'logInAgain' => _t(
|
||||
'Security.LOGGEDOUT',
|
||||
"You have been logged out. If you would like to log in again, enter your credentials below."
|
||||
)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
if(!is_array($messageSet)) {
|
||||
$messageSet = array('default' => $messageSet);
|
||||
}
|
||||
|
||||
// Work out the right message to show
|
||||
if(Member::currentUserID()) {
|
||||
// user_error( 'PermFailure with member', E_USER_ERROR );
|
||||
|
||||
$message = isset($messageSet['alreadyLoggedIn'])
|
||||
? $messageSet['alreadyLoggedIn']
|
||||
: $messageSet['default'];
|
||||
|
||||
if($member = Member::currentUser())
|
||||
$member->logout();
|
||||
|
||||
} else if(substr(Director::history(),0,15) == 'Security/logout') {
|
||||
$message = $messageSet['logInAgain']
|
||||
? $messageSet['logInAgain']
|
||||
: $messageSet['default'];
|
||||
|
||||
} else {
|
||||
$message = $messageSet['default'];
|
||||
}
|
||||
|
||||
Session::set("Security.Message.message", $message);
|
||||
Session::set("Security.Message.type", 'warning');
|
||||
|
||||
Session::set("BackURL", $_SERVER['REQUEST_URI']);
|
||||
|
||||
// TODO AccessLogEntry needs an extension to handle permission denied errors
|
||||
// Audit logging hook
|
||||
if($controller) $controller->extend('permissionDenied', $member);
|
||||
|
||||
Director::redirect("Security/login");
|
||||
}
|
||||
return;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user