commit c04140302c0172a85968556210da33d1c81f20ce parent dea9402cf82511e5f198ae37b981d55427974b2d Author: dankert <openrat@jandankert.de> Date: Sat, 4 Dec 2021 00:18:39 +0100 Some security enhancements. Diffstat:
4 files changed, 8 insertions(+), 13 deletions(-)
diff --git a/modules/cms/action/page/PageAllAction.class.php b/modules/cms/action/page/PageAllAction.class.php @@ -18,6 +18,7 @@ use cms\model\Permission; use cms\model\Project; use cms\model\Value; use language\Messages; +use util\exception\SecurityException; use util\exception\ValidationException; use util\Session; use util\Text; @@ -25,7 +26,7 @@ use util\Text; class PageAllAction extends PageAction implements Method { public function getRequiredPermission() { - return Permission::ACL_WRITE; + return Permission::ACL_READ; } @@ -182,7 +183,8 @@ class PageAllAction extends PageAction implements Method { public function post() { - + if ( !$this->page->hasRight( Permission::ACL_WRITE )) + throw new SecurityException(); $languageid = $this->request->getRequiredNumber('languageid'); $language = new Language($languageid); diff --git a/modules/cms/action/pageelement/PageelementValueAction.class.php b/modules/cms/action/pageelement/PageelementValueAction.class.php @@ -9,11 +9,6 @@ use cms\model\Page; class PageelementValueAction extends PageelementAction implements Method { - protected function getRequiredPagePermission() - { - return Permission::ACL_WRITE; - } - public function view() { $this->element->load(); diff --git a/modules/cms/action/profile/ProfileAvailableAction.class.php b/modules/cms/action/profile/ProfileAvailableAction.class.php @@ -5,6 +5,7 @@ use cms\action\BaseAction; use cms\action\Method; use cms\action\ProfileAction; use util\ClassName; +use util\exception\SecurityException; class ProfileAvailableAction extends ProfileAction implements Method { @@ -47,10 +48,10 @@ class ProfileAvailableAction extends ProfileAction implements Method { */ $actionMethod = new $n(); $actionMethod->request = $this->request; - $actionMethod->init(); try { + $actionMethod->init(); $actionMethod->checkAccess(); - } catch( \Exception $e ) { + } catch( SecurityException $e ) { return false; } return true; diff --git a/modules/cms/ui/UI.class.php b/modules/cms/ui/UI.class.php @@ -70,10 +70,7 @@ class UI throw new LogicException(L::lang($e->key,$e->params),0, $e); } catch (SecurityException $e) { Logger::info($e); - Http::noContent(); - - // this is not good at all, because the user may have signed off. - //Http::notAuthorized("You are not allowed to execute this action."); + Http::notAuthorized("You are not allowed to execute this action."); } catch (Exception $e) { Logger::warn( $e ); throw new LogicException("Internal CMS error",0, $e);