tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

ENHANCEMENT: If you are logged in and Security::permissionFailure() is called, just return a 403

Browse Source 
git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@81430 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sam Minnee 2009-07-09 03:20:32 +00:00
parent 7085f1ce65
commit d38c79f584
2 changed files with 26 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
security/Security.php
View File

@ -138,8 +138,13 @@ class Security extends Controller {
* in and lacks the * in and lacks the
* permission to * permission to
* access the item. * access the item.
*
* The alreadyLoggedIn value can contain a '%s' placeholder that will be replaced with a link
* to log in.
*/ */
static function permissionFailure($controller = null, $messageSet = null) { static function permissionFailure($controller = null, $messageSet = null) {
if(!$controller) $controller = Controller::curr();
if(Director::is_ajax()) { if(Director::is_ajax()) {
$response = ($controller) ? $controller->getResponse() : new HTTPResponse(); $response = ($controller) ? $controller->getResponse() : new HTTPResponse();
$response->setStatusCode(403); $response->setStatusCode(403);
@ -154,15 +159,20 @@ class Security extends Controller {
$messageSet = array( $messageSet = array(
'default' => _t( 'default' => _t(
'Security.NOTEPAGESECURED', 'Security.NOTEPAGESECURED',
"That page is secured. Enter your credentials below and we will send you right along." "That page is secured. Enter your credentials below and we will send "
. "you right along."
), ),
'alreadyLoggedIn' => _t( 'alreadyLoggedIn' => _t(
'Security.ALREADYLOGGEDIN', 'Security.ALREADYLOGGEDIN',
"You don't have access to this page. If you have another account that can access that page, you can log in below." "You don't have access to this page. If you have another account that "
. "can access that page, you can <a href=\"%s\">log in again</a>.",
PR_MEDIUM,
"%s will be replaced with a link to log in."
), ),
'logInAgain' => _t( 'logInAgain' => _t(
'Security.LOGGEDOUT', 'Security.LOGGEDOUT',
"You have been logged out. If you would like to log in again, enter your credentials below." "You have been logged out. If you would like to log in again, enter "
. "your credentials below."
) )
); );
} }
@ -173,11 +183,18 @@ class Security extends Controller {
} }
// Work out the right message to show // Work out the right message to show
if(Member::currentUserID()) { if(Member::currentUser()) {
$message = isset($messageSet['alreadyLoggedIn']) ? $messageSet['alreadyLoggedIn'] : $messageSet['default']; $response = ($controller) ? $controller->getResponse() : new HTTPResponse();
if($member = Member::currentUser()) { $response->setStatusCode(403);
$member->logOut();
} // Replace %s with the log in link
$body = sprintf($messageSet['alreadyLoggedIn'],
Controller::join_links(Director::baseURL(), 'Security/login',
'?BackURL=' . urlencode($_SERVER['REQUEST_URI'])));
$response->setBody($body);
return $response;
} else if(substr(Director::history(),0,15) == 'Security/logout') { } else if(substr(Director::history(),0,15) == 'Security/logout') {
$message = $messageSet['logInAgain'] ? $messageSet['logInAgain'] : $messageSet['default']; $message = $messageSet['logInAgain'] ? $messageSet['logInAgain'] : $messageSet['default'];
} else { } else {

2
tests/SiteTreePermissionsTest.php
View File

@ -106,7 +106,7 @@ class SiteTreePermissionsTest extends FunctionalTest {
$response = $this->get($page->URLSegment); $response = $this->get($page->URLSegment);
$this->assertEquals( $this->assertEquals(
$response->getStatusCode(), $response->getStatusCode(),
302, 403,
'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups' 'Authenticated members cant view a page marked as "Viewable by these groups" if theyre not in the listed groups'
); );
$this->session()->inst_set('loggedInAs', null); $this->session()->inst_set('loggedInAs', null);