mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-20 20:40:56 +01:00
Send 403 for admin pages without being admin
Summary: I've also moved the response generation for 404 from ##AphrontDefaultApplicationConfiguration## to ##buildResponseString()## Test Plan: Visit / Visit /mail/ Visit /x/ Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley, vrana Differential Revision: https://secure.phabricator.com/D1406
This commit is contained in:
parent
d8bbf55959
commit
9ba4f24e93
15 changed files with 86 additions and 31 deletions
|
@ -10,6 +10,7 @@ phutil_register_library_map(array(
|
||||||
array(
|
array(
|
||||||
'Aphront304Response' => 'aphront/response/304',
|
'Aphront304Response' => 'aphront/response/304',
|
||||||
'Aphront400Response' => 'aphront/response/400',
|
'Aphront400Response' => 'aphront/response/400',
|
||||||
|
'Aphront403Response' => 'aphront/response/403',
|
||||||
'Aphront404Response' => 'aphront/response/404',
|
'Aphront404Response' => 'aphront/response/404',
|
||||||
'AphrontAjaxResponse' => 'aphront/response/ajax',
|
'AphrontAjaxResponse' => 'aphront/response/ajax',
|
||||||
'AphrontApplicationConfiguration' => 'aphront/applicationconfiguration',
|
'AphrontApplicationConfiguration' => 'aphront/applicationconfiguration',
|
||||||
|
@ -785,7 +786,8 @@ phutil_register_library_map(array(
|
||||||
array(
|
array(
|
||||||
'Aphront304Response' => 'AphrontResponse',
|
'Aphront304Response' => 'AphrontResponse',
|
||||||
'Aphront400Response' => 'AphrontResponse',
|
'Aphront400Response' => 'AphrontResponse',
|
||||||
'Aphront404Response' => 'AphrontResponse',
|
'Aphront403Response' => 'AphrontWebpageResponse',
|
||||||
|
'Aphront404Response' => 'AphrontWebpageResponse',
|
||||||
'AphrontAjaxResponse' => 'AphrontResponse',
|
'AphrontAjaxResponse' => 'AphrontResponse',
|
||||||
'AphrontAttachedFileView' => 'AphrontView',
|
'AphrontAttachedFileView' => 'AphrontView',
|
||||||
'AphrontCSRFException' => 'AphrontException',
|
'AphrontCSRFException' => 'AphrontException',
|
||||||
|
|
|
@ -466,22 +466,6 @@ class AphrontDefaultApplicationConfiguration
|
||||||
'redirect' => $response->getURI(),
|
'redirect' => $response->getURI(),
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
} else if ($response instanceof Aphront404Response) {
|
|
||||||
|
|
||||||
$failure = new AphrontRequestFailureView();
|
|
||||||
$failure->setHeader('404 Not Found');
|
|
||||||
$failure->appendChild(
|
|
||||||
'<p>The page you requested was not found.</p>');
|
|
||||||
|
|
||||||
$view = new PhabricatorStandardPageView();
|
|
||||||
$view->setTitle('404 Not Found');
|
|
||||||
$view->setRequest($this->getRequest());
|
|
||||||
$view->appendChild($failure);
|
|
||||||
|
|
||||||
$response = new AphrontWebpageResponse();
|
|
||||||
$response->setContent($view->render());
|
|
||||||
$response->setHTTPResponseCode(404);
|
|
||||||
return $response;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
|
|
|
@ -17,7 +17,6 @@ phutil_require_module('phabricator', 'applications/people/storage/user');
|
||||||
phutil_require_module('phabricator', 'infrastructure/env');
|
phutil_require_module('phabricator', 'infrastructure/env');
|
||||||
phutil_require_module('phabricator', 'view/control/table');
|
phutil_require_module('phabricator', 'view/control/table');
|
||||||
phutil_require_module('phabricator', 'view/dialog');
|
phutil_require_module('phabricator', 'view/dialog');
|
||||||
phutil_require_module('phabricator', 'view/page/failure');
|
|
||||||
phutil_require_module('phabricator', 'view/page/standard');
|
phutil_require_module('phabricator', 'view/page/standard');
|
||||||
|
|
||||||
phutil_require_module('phutil', 'error');
|
phutil_require_module('phutil', 'error');
|
||||||
|
|
42
src/aphront/response/403/Aphront403Response.php
Normal file
42
src/aphront/response/403/Aphront403Response.php
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copyright 2012 Facebook, Inc.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @group aphront
|
||||||
|
*/
|
||||||
|
class Aphront403Response extends AphrontWebpageResponse {
|
||||||
|
|
||||||
|
public function getHTTPResponseCode() {
|
||||||
|
return 403;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function buildResponseString() {
|
||||||
|
$failure = new AphrontRequestFailureView();
|
||||||
|
$failure->setHeader('403 Forbidden');
|
||||||
|
$failure->appendChild(
|
||||||
|
'<p>You do not have privileges to access the requested page.</p>');
|
||||||
|
|
||||||
|
$view = new PhabricatorStandardPageView();
|
||||||
|
$view->setTitle('403 Forbidden');
|
||||||
|
$view->setRequest($this->getRequest());
|
||||||
|
$view->appendChild($failure);
|
||||||
|
|
||||||
|
return $view->render();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
14
src/aphront/response/403/__init__.php
Normal file
14
src/aphront/response/403/__init__.php
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* This file is automatically generated. Lint this module to rebuild it.
|
||||||
|
* @generated
|
||||||
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
phutil_require_module('phabricator', 'aphront/response/webpage');
|
||||||
|
phutil_require_module('phabricator', 'view/page/failure');
|
||||||
|
phutil_require_module('phabricator', 'view/page/standard');
|
||||||
|
|
||||||
|
|
||||||
|
phutil_require_source('Aphront403Response.php');
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2011 Facebook, Inc.
|
* Copyright 2012 Facebook, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -19,14 +19,23 @@
|
||||||
/**
|
/**
|
||||||
* @group aphront
|
* @group aphront
|
||||||
*/
|
*/
|
||||||
class Aphront404Response extends AphrontResponse {
|
class Aphront404Response extends AphrontWebpageResponse {
|
||||||
|
|
||||||
public function getHTTPResponseCode() {
|
public function getHTTPResponseCode() {
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function buildResponseString() {
|
public function buildResponseString() {
|
||||||
return '404 Not Found';
|
$failure = new AphrontRequestFailureView();
|
||||||
|
$failure->setHeader('404 Not Found');
|
||||||
|
$failure->appendChild('<p>The page you requested was not found.</p>');
|
||||||
|
|
||||||
|
$view = new PhabricatorStandardPageView();
|
||||||
|
$view->setTitle('404 Not Found');
|
||||||
|
$view->setRequest($this->getRequest());
|
||||||
|
$view->appendChild($failure);
|
||||||
|
|
||||||
|
return $view->render();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
phutil_require_module('phabricator', 'aphront/response/base');
|
phutil_require_module('phabricator', 'aphront/response/webpage');
|
||||||
|
phutil_require_module('phabricator', 'view/page/failure');
|
||||||
|
phutil_require_module('phabricator', 'view/page/standard');
|
||||||
|
|
||||||
|
|
||||||
phutil_require_source('Aphront404Response.php');
|
phutil_require_source('Aphront404Response.php');
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2011 Facebook, Inc.
|
* Copyright 2012 Facebook, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -83,7 +83,7 @@ abstract class PhabricatorController extends AphrontController {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($this->shouldRequireAdmin() && !$user->getIsAdmin()) {
|
if ($this->shouldRequireAdmin() && !$user->getIsAdmin()) {
|
||||||
return new Aphront404Response();
|
return new Aphront403Response();
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
|
|
||||||
phutil_require_module('phabricator', 'aphront/console/core');
|
phutil_require_module('phabricator', 'aphront/console/core');
|
||||||
phutil_require_module('phabricator', 'aphront/controller');
|
phutil_require_module('phabricator', 'aphront/controller');
|
||||||
phutil_require_module('phabricator', 'aphront/response/404');
|
phutil_require_module('phabricator', 'aphront/response/403');
|
||||||
phutil_require_module('phabricator', 'aphront/response/webpage');
|
phutil_require_module('phabricator', 'aphront/response/webpage');
|
||||||
phutil_require_module('phabricator', 'applications/people/storage/user');
|
phutil_require_module('phabricator', 'applications/people/storage/user');
|
||||||
phutil_require_module('phabricator', 'infrastructure/env');
|
phutil_require_module('phabricator', 'infrastructure/env');
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2011 Facebook, Inc.
|
* Copyright 2012 Facebook, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -35,7 +35,7 @@ class PhabricatorCountdownDeleteController
|
||||||
|
|
||||||
if (($timer->getAuthorPHID() !== $user->getPHID())
|
if (($timer->getAuthorPHID() !== $user->getPHID())
|
||||||
&& $user->getIsAdmin() === false) {
|
&& $user->getIsAdmin() === false) {
|
||||||
return new Aphront404Response();
|
return new Aphront403Response();
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($request->isFormPost()) {
|
if ($request->isFormPost()) {
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
phutil_require_module('phabricator', 'aphront/response/403');
|
||||||
phutil_require_module('phabricator', 'aphront/response/404');
|
phutil_require_module('phabricator', 'aphront/response/404');
|
||||||
phutil_require_module('phabricator', 'aphront/response/dialog');
|
phutil_require_module('phabricator', 'aphront/response/dialog');
|
||||||
phutil_require_module('phabricator', 'aphront/response/redirect');
|
phutil_require_module('phabricator', 'aphront/response/redirect');
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2011 Facebook, Inc.
|
* Copyright 2012 Facebook, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -39,7 +39,7 @@ class PhabricatorCountdownEditController
|
||||||
|
|
||||||
if (($timer->getAuthorPHID() != $user->getPHID())
|
if (($timer->getAuthorPHID() != $user->getPHID())
|
||||||
&& $user->getIsAdmin() == false) {
|
&& $user->getIsAdmin() == false) {
|
||||||
return new Aphront404Response();
|
return new Aphront403Response();
|
||||||
}
|
}
|
||||||
|
|
||||||
$action_label = 'Update Timer';
|
$action_label = 'Update Timer';
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
phutil_require_module('phabricator', 'aphront/response/403');
|
||||||
phutil_require_module('phabricator', 'aphront/response/404');
|
phutil_require_module('phabricator', 'aphront/response/404');
|
||||||
phutil_require_module('phabricator', 'aphront/response/redirect');
|
phutil_require_module('phabricator', 'aphront/response/redirect');
|
||||||
phutil_require_module('phabricator', 'applications/countdown/controller/base');
|
phutil_require_module('phabricator', 'applications/countdown/controller/base');
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
<?php
|
<?php
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright 2011 Facebook, Inc.
|
* Copyright 2012 Facebook, Inc.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -52,7 +52,7 @@ class PhabricatorFileAltViewController extends PhabricatorFileController {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!$file->validateSecretKey($this->key)) {
|
if (!$file->validateSecretKey($this->key)) {
|
||||||
return new Aphront404Response();
|
return new Aphront403Response();
|
||||||
}
|
}
|
||||||
|
|
||||||
// It's safe to bypass view restrictions because we know we are being served
|
// It's safe to bypass view restrictions because we know we are being served
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
|
|
||||||
|
|
||||||
phutil_require_module('phabricator', 'aphront/response/400');
|
phutil_require_module('phabricator', 'aphront/response/400');
|
||||||
|
phutil_require_module('phabricator', 'aphront/response/403');
|
||||||
phutil_require_module('phabricator', 'aphront/response/404');
|
phutil_require_module('phabricator', 'aphront/response/404');
|
||||||
phutil_require_module('phabricator', 'aphront/response/file');
|
phutil_require_module('phabricator', 'aphront/response/file');
|
||||||
phutil_require_module('phabricator', 'applications/files/controller/base');
|
phutil_require_module('phabricator', 'applications/files/controller/base');
|
||||||
|
|
Loading…
Reference in a new issue