From d38c79f584243aa12ff95952d83134c93e201c50 Mon Sep 17 00:00:00 2001 From: Sam Minnee Date: Thu, 9 Jul 2009 03:20:32 +0000 Subject: [PATCH] ENHANCEMENT: If you are logged in and Security::permissionFailure() is called, just return a 403 git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@81430 467b73ca-7a2a-4603-9d3b-597d59a354a9 --- security/Security.php | 33 +++++++++++++++++++++++-------- tests/SiteTreePermissionsTest.php | 2 +- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/security/Security.php b/security/Security.php index 914c5f2ab..d19c4f62f 100644 --- a/security/Security.php +++ b/security/Security.php @@ -138,8 +138,13 @@ class Security extends Controller { * in and lacks the * permission to * access the item. + * + * The alreadyLoggedIn value can contain a '%s' placeholder that will be replaced with a link + * to log in. */ static function permissionFailure($controller = null, $messageSet = null) { + if(!$controller) $controller = Controller::curr(); + if(Director::is_ajax()) { $response = ($controller) ? $controller->getResponse() : new HTTPResponse(); $response->setStatusCode(403); @@ -154,15 +159,20 @@ class Security extends Controller { $messageSet = array( 'default' => _t( 'Security.NOTEPAGESECURED', - "That page is secured. Enter your credentials below and we will send you right along." + "That page is secured. Enter your credentials below and we will send " + . "you right along." ), 'alreadyLoggedIn' => _t( 'Security.ALREADYLOGGEDIN', - "You don't have access to this page. If you have another account that can access that page, you can log in below." + "You don't have access to this page. If you have another account that " + . "can access that page, you can log in again.", + PR_MEDIUM, + "%s will be replaced with a link to log in." ), 'logInAgain' => _t( 'Security.LOGGEDOUT', - "You have been logged out. If you would like to log in again, enter your credentials below." + "You have been logged out. If you would like to log in again, enter " + . "your credentials below." ) ); } @@ -173,11 +183,18 @@ class Security extends Controller { } // Work out the right message to show - if(Member::currentUserID()) { - $message = isset($messageSet['alreadyLoggedIn']) ? $messageSet['alreadyLoggedIn'] : $messageSet['default']; - if($member = Member::currentUser()) { - $member->logOut(); - } + if(Member::currentUser()) { + $response = ($controller) ? $controller->getResponse() : new HTTPResponse(); + $response->setStatusCode(403); + + // Replace %s with the log in link + $body = sprintf($messageSet['alreadyLoggedIn'], + Controller::join_links(Director::baseURL(), 'Security/login', + '?BackURL=' . urlencode($_SERVER['REQUEST_URI']))); + + $response->setBody($body); + return $response; + } else if(substr(Director::history(),0,15) == 'Security/logout') { $message = $messageSet['logInAgain'] ? $messageSet['logInAgain'] : $messageSet['default']; } else { diff --git a/tests/SiteTreePermissionsTest.php b/tests/SiteTreePermissionsTest.php index fb49246cd..18092226a 100644 --- a/tests/SiteTreePermissionsTest.php +++ b/tests/SiteTreePermissionsTest.php @@ -106,7 +106,7 @@ class SiteTreePermissionsTest extends FunctionalTest { $response = $this->get($page->URLSegment); $this->assertEquals( $response->getStatusCode(), - 302, + 403, 'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups' ); $this->session()->inst_set('loggedInAs', null);