From 556f28cbba6bb4245e9d15711b97d893ef5b98c1 Mon Sep 17 00:00:00 2001 From: vincent-peugnet Date: Thu, 9 Nov 2023 12:02:16 +0100 Subject: [PATCH] implement forbidden message instead of redirection When user is connected but is not allowed to access part of app --- app/class/Controlleradmin.php | 45 ++++++++------ app/class/Controllermedia.php | 89 ++++++++++++++------------- app/class/Controllerpage.php | 7 ++- app/class/Controllerprofile.php | 95 ++++++++++++++--------------- app/class/Controlleruser.php | 9 ++- app/view/templates/forbidden.php | 28 +++++++++ app/view/templates/unauthorized.php | 20 ------ 7 files changed, 161 insertions(+), 132 deletions(-) create mode 100644 app/view/templates/forbidden.php delete mode 100644 app/view/templates/unauthorized.php diff --git a/app/class/Controlleradmin.php b/app/class/Controlleradmin.php index 51c3f004..ed659555 100644 --- a/app/class/Controlleradmin.php +++ b/app/class/Controlleradmin.php @@ -16,32 +16,39 @@ public function __construct($router) parent::__construct($router); $this->adminmanager = new Modeladmin(); + + if ($this->user->isvisitor()) { + http_response_code(401); + $this->showtemplate('connect', ['route' => 'admin']); + exit; + } + if (!$this->user->isadmin()) { + http_response_code(403); + $this->showtemplate('forbidden', []); + exit; + } } public function desktop() { - if ($this->user->isadmin()) { - $datas['pagelist'] = $this->pagemanager->list(); - $this->mediamanager = new Modelmedia(); - $datas['faviconlist'] = $this->mediamanager->listfavicon(); - $datas['thumbnaillist'] = $this->mediamanager->listthumbnail(); - $datas['themes'] = $this->mediamanager->listthemes(); + $datas['pagelist'] = $this->pagemanager->list(); + $this->mediamanager = new Modelmedia(); + $datas['faviconlist'] = $this->mediamanager->listfavicon(); + $datas['thumbnaillist'] = $this->mediamanager->listthumbnail(); + $datas['themes'] = $this->mediamanager->listthemes(); - $globalcssfile = Model::GLOBAL_CSS_FILE; - - if (is_file($globalcssfile)) { - $datas['globalcss'] = file_get_contents($globalcssfile); - } else { - $datas['globalcss'] = ""; - } + $globalcssfile = Model::GLOBAL_CSS_FILE; - $datas['pagesdblist'] = $this->adminmanager->pagesdblist(); - $datas['pagesdbtree'] = $this->mediamanager->listdir(Model::PAGES_DIR); - - $this->showtemplate('admin', $datas); + if (is_file($globalcssfile)) { + $datas['globalcss'] = file_get_contents($globalcssfile); } else { - $this->routedirect('home'); + $datas['globalcss'] = ""; } + + $datas['pagesdblist'] = $this->adminmanager->pagesdblist(); + $datas['pagesdbtree'] = $this->mediamanager->listdir(Model::PAGES_DIR); + + $this->showtemplate('admin', $datas); } public function update() @@ -52,10 +59,10 @@ public function update() Config::hydrate($_POST); Config::savejson(); Model::sendflashmessage("Configuration succesfully updated", Model::FLASH_SUCCESS); - $this->routedirect('admin'); } catch (Filesystemexception $e) { Model::sendflashmessage("Can't write config file or global css file", Model::FLASH_ERROR); } + $this->routedirect('admin'); } public function database() diff --git a/app/class/Controllermedia.php b/app/class/Controllermedia.php index 9394f918..a444f399 100644 --- a/app/class/Controllermedia.php +++ b/app/class/Controllermedia.php @@ -21,62 +21,69 @@ public function __construct(AltoRouter $router) $this->mediamanager = new Modelmedia(); $this->mediaopt = new Mediaopt($_GET); + + if ($this->user->isvisitor()) { + http_response_code(401); + $this->showtemplate('connect', ['route' => 'media']); + exit; + } } public function desktop() { - if ($this->user->iseditor()) { - try { - Fs::dircheck(Model::FONT_DIR, true, 0775); - Fs::dircheck(Model::THUMBNAIL_DIR, true, 0775); - Fs::dircheck(Model::FAVICON_DIR, true, 0775); - Fs::dircheck(Model::CSS_DIR, true, 0775); - } catch (RuntimeException $e) { - Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); - } - if (isset($_POST['query'])) { - $datas = array_merge($_GET, $_POST); - } else { - $datas = $_GET; - } + if (!$this->user->iseditor()) { + http_response_code(403); + $this->showtemplate('forbidden', []); + exit; + } + try { + Fs::dircheck(Model::FONT_DIR, true, 0775); + Fs::dircheck(Model::THUMBNAIL_DIR, true, 0775); + Fs::dircheck(Model::FAVICON_DIR, true, 0775); + Fs::dircheck(Model::CSS_DIR, true, 0775); + } catch (RuntimeException $e) { + Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); + } + if (isset($_POST['query'])) { + $datas = array_merge($_GET, $_POST); + } else { + $datas = $_GET; + } - $mediaopt = new Mediaoptlist($datas); + $mediaopt = new Mediaoptlist($datas); - try { - $this->mediamanager->checkdir($this->mediaopt->dir()); - } catch (Folderexception $e) { - Model::sendflashmessage($e->getMessage(), Model::FLASH_WARNING); - $this->mediaopt->setpath(Model::MEDIA_DIR); - $this->redirect($this->generate("media", [], $this->mediaopt->getpathadress())); - } + try { + $this->mediamanager->checkdir($this->mediaopt->dir()); + } catch (Folderexception $e) { + Model::sendflashmessage($e->getMessage(), Model::FLASH_WARNING); + $this->mediaopt->setpath(Model::MEDIA_DIR); + $this->redirect($this->generate("media", [], $this->mediaopt->getpathadress())); + } - $medialist = $this->mediamanager->medialistopt($mediaopt); + $medialist = $this->mediamanager->medialistopt($mediaopt); - $dirlist = $this->mediamanager->listdir(Model::MEDIA_DIR); + $dirlist = $this->mediamanager->listdir(Model::MEDIA_DIR); - $pathlist = []; - $this->mediamanager->listpath($dirlist, '', $pathlist); + $pathlist = []; + $this->mediamanager->listpath($dirlist, '', $pathlist); - $vars['maxuploadsize'] = readablesize(file_upload_max_size()) . 'o'; - $vars['cssfont'] = Model::dirtopath(Model::FONTS_CSS_FILE); + $vars['maxuploadsize'] = readablesize(file_upload_max_size()) . 'o'; + $vars['cssfont'] = Model::dirtopath(Model::FONTS_CSS_FILE); - if (isset($_GET['display'])) { - $this->workspace->setmediadisplay($_GET['display']); - $this->workspace2session(); - } + if (isset($_GET['display'])) { + $this->workspace->setmediadisplay($_GET['display']); + $this->workspace2session(); + } - $vars['filtercode'] = !empty($_POST); // indicate that filter code has been generated - $vars['medialist'] = $medialist; - $vars['dirlist'] = $dirlist; - $vars['pathlist'] = $pathlist; - $vars['mediaopt'] = $mediaopt; + $vars['filtercode'] = !empty($_POST); // indicate that filter code has been generated + $vars['medialist'] = $medialist; + $vars['dirlist'] = $dirlist; + $vars['pathlist'] = $pathlist; + $vars['mediaopt'] = $mediaopt; - $this->showtemplate('media', $vars); - } else { - $this->routedirect('home'); - } + $this->showtemplate('media', $vars); } public function upload() diff --git a/app/class/Controllerpage.php b/app/class/Controllerpage.php index 03f55c89..a3a3394c 100644 --- a/app/class/Controllerpage.php +++ b/app/class/Controllerpage.php @@ -235,9 +235,9 @@ public function edit($page) $this->pageconnect('pageedit'); if ($this->importpage()) { - if (!$this->canedit($this->page)) { - $this->showtemplate('unauthorized', ['route' => 'pageedit', 'id' => $this->page->id()]); + http_response_code(403); + $this->showtemplate('forbidden', ['route' => 'pageedit', 'id' => $this->page->id()]); exit; } @@ -300,7 +300,8 @@ public function add($page) $this->pagemanager->add($this->page); $this->routedirect('pageedit', ['page' => $this->page->id()]); } else { - $this->routedirect('pageread', ['page' => $this->page->id()]); + http_response_code(403); + $this->showtemplate('forbidden', ['route' => 'pageedit', 'id' => $this->page->id()]); } } diff --git a/app/class/Controllerprofile.php b/app/class/Controllerprofile.php index b58993d6..4d63aba7 100644 --- a/app/class/Controllerprofile.php +++ b/app/class/Controllerprofile.php @@ -7,73 +7,72 @@ class Controllerprofile extends Controller { + public function __construct($router) + { + parent::__construct($router); + + if ($this->user->isvisitor()) { + http_response_code(401); + $this->showtemplate('connect', ['route' => 'profile']); + exit; + } + } + public function desktop() { - if ($this->user->isinvite()) { - try { - $datas['user'] = $this->usermanager->get($this->user); - $this->showtemplate('profile', $datas); - } catch (Notfoundexception $e) { - Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); - $this->routedirect('home'); - } - } else { + try { + $datas['user'] = $this->usermanager->get($this->user); + $this->showtemplate('profile', $datas); + } catch (Notfoundexception $e) { + Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); $this->routedirect('home'); } } public function update() { - if ($this->user->isinvite()) { - try { - $user = $this->usermanager->get($this->user); - $user->hydrateexception($_POST); - $this->usermanager->add($user); - } catch (Notfoundexception $e) { - Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); - } catch (RuntimeException $e) { - Model::sendflashmessage( - 'There was a problem when updating preference : ' . $e->getMessage(), - Model::FLASH_ERROR - ); - } - $this->routedirect('profile'); - } else { - $this->routedirect('home'); + try { + $user = $this->usermanager->get($this->user); + $user->hydrateexception($_POST); + $this->usermanager->add($user); + } catch (Notfoundexception $e) { + Model::sendflashmessage($e->getMessage(), Model::FLASH_ERROR); + } catch (RuntimeException $e) { + Model::sendflashmessage( + 'There was a problem when updating preference : ' . $e->getMessage(), + Model::FLASH_ERROR + ); } + $this->routedirect('profile'); } public function password() { - if ($this->user->isinvite()) { - if ( - !isset($_POST['currentpassword']) || - !$this->usermanager->passwordcheck($this->user->id(), $_POST['currentpassword']) - ) { - Model::sendflashmessage("wrong current password", 'error'); - $this->routedirect('profile'); - } + if ( + !isset($_POST['currentpassword']) || + !$this->usermanager->passwordcheck($this->user->id(), $_POST['currentpassword']) + ) { + Model::sendflashmessage("wrong current password", 'error'); + $this->routedirect('profile'); + } + if ( + !empty($_POST['password1']) && + !empty($_POST['password2']) && + $_POST['password1'] === $_POST['password2'] + ) { if ( - !empty($_POST['password1']) && - !empty($_POST['password2']) && - $_POST['password1'] === $_POST['password2'] + $this->user->setpassword($_POST['password1']) && + $this->user->hashpassword() && + $this->usermanager->add($this->user) ) { - if ( - $this->user->setpassword($_POST['password1']) && - $this->user->hashpassword() && - $this->usermanager->add($this->user) - ) { - Model::sendflashmessage('password updated successfully', 'success'); - } else { - Model::sendflashmessage("password is not compatible or an error occured", 'error'); - } + Model::sendflashmessage('password updated successfully', 'success'); } else { - Model::sendflashmessage("passwords does not match", "error"); + Model::sendflashmessage("password is not compatible or an error occured", 'error'); } - $this->routedirect('profile'); } else { - $this->routedirect('home'); + Model::sendflashmessage("passwords does not match", "error"); } + $this->routedirect('profile'); } } diff --git a/app/class/Controlleruser.php b/app/class/Controlleruser.php index 8f3fd5b5..687cd3cb 100644 --- a/app/class/Controlleruser.php +++ b/app/class/Controlleruser.php @@ -10,6 +10,12 @@ class Controlleruser extends Controller public function __construct($router) { parent::__construct($router); + + if ($this->user->isvisitor()) { + http_response_code(401); + $this->showtemplate('connect', ['route' => 'user']); + exit; + } } public function desktop() @@ -18,7 +24,8 @@ public function desktop() $datas['userlist'] = $this->usermanager->getlister(); $this->showtemplate('user', $datas); } else { - $this->routedirect('home'); + http_response_code(403); + $this->showtemplate('forbidden', []); } } diff --git a/app/view/templates/forbidden.php b/app/view/templates/forbidden.php new file mode 100644 index 00000000..98ca846a --- /dev/null +++ b/app/view/templates/forbidden.php @@ -0,0 +1,28 @@ +layout('layout', ['title' => 'Forbidden', 'description' => 'forbidden', 'stylesheets' => [$css . 'home.css']]) ?> + + + + +start('page') ?> + +

Forbidden

+ + +level() ?> + + +isinvite()) { ?> +

+ Sorry name() ?>, you are not allowed to do this. +

+ + +back to page read view

'; +} else { + echo '

Go back to home'; +} +?> + +stop() ?> diff --git a/app/view/templates/unauthorized.php b/app/view/templates/unauthorized.php deleted file mode 100644 index 494cbf2a..00000000 --- a/app/view/templates/unauthorized.php +++ /dev/null @@ -1,20 +0,0 @@ -layout('layout', ['title' => 'Unauthorized', 'description' => 'unauthorized', 'stylesheets' => [$css . 'home.css']]) ?> - - - - -start('page') ?> - -

Unauthorized

- - -level() ?> - - -back to page read view

'; -} -?> - -stop() ?>