1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 20:40:56 +01:00

Send 403 for admin pages without being admin

Summary: I've also moved the response generation for 404 from
##AphrontDefaultApplicationConfiguration## to ##buildResponseString()##

Test Plan:
Visit /
Visit /mail/
Visit /x/

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley, vrana

Differential Revision: https://secure.phabricator.com/D1406
This commit is contained in:
vrana 2012-01-15 01:07:56 -08:00
parent d8bbf55959
commit 9ba4f24e93
15 changed files with 86 additions and 31 deletions

View file

@ -10,6 +10,7 @@ phutil_register_library_map(array(
array( array(
'Aphront304Response' => 'aphront/response/304', 'Aphront304Response' => 'aphront/response/304',
'Aphront400Response' => 'aphront/response/400', 'Aphront400Response' => 'aphront/response/400',
'Aphront403Response' => 'aphront/response/403',
'Aphront404Response' => 'aphront/response/404', 'Aphront404Response' => 'aphront/response/404',
'AphrontAjaxResponse' => 'aphront/response/ajax', 'AphrontAjaxResponse' => 'aphront/response/ajax',
'AphrontApplicationConfiguration' => 'aphront/applicationconfiguration', 'AphrontApplicationConfiguration' => 'aphront/applicationconfiguration',
@ -785,7 +786,8 @@ phutil_register_library_map(array(
array( array(
'Aphront304Response' => 'AphrontResponse', 'Aphront304Response' => 'AphrontResponse',
'Aphront400Response' => 'AphrontResponse', 'Aphront400Response' => 'AphrontResponse',
'Aphront404Response' => 'AphrontResponse', 'Aphront403Response' => 'AphrontWebpageResponse',
'Aphront404Response' => 'AphrontWebpageResponse',
'AphrontAjaxResponse' => 'AphrontResponse', 'AphrontAjaxResponse' => 'AphrontResponse',
'AphrontAttachedFileView' => 'AphrontView', 'AphrontAttachedFileView' => 'AphrontView',
'AphrontCSRFException' => 'AphrontException', 'AphrontCSRFException' => 'AphrontException',

View file

@ -466,22 +466,6 @@ class AphrontDefaultApplicationConfiguration
'redirect' => $response->getURI(), 'redirect' => $response->getURI(),
)); ));
} }
} else if ($response instanceof Aphront404Response) {
$failure = new AphrontRequestFailureView();
$failure->setHeader('404 Not Found');
$failure->appendChild(
'<p>The page you requested was not found.</p>');
$view = new PhabricatorStandardPageView();
$view->setTitle('404 Not Found');
$view->setRequest($this->getRequest());
$view->appendChild($failure);
$response = new AphrontWebpageResponse();
$response->setContent($view->render());
$response->setHTTPResponseCode(404);
return $response;
} }
return $response; return $response;

View file

@ -17,7 +17,6 @@ phutil_require_module('phabricator', 'applications/people/storage/user');
phutil_require_module('phabricator', 'infrastructure/env'); phutil_require_module('phabricator', 'infrastructure/env');
phutil_require_module('phabricator', 'view/control/table'); phutil_require_module('phabricator', 'view/control/table');
phutil_require_module('phabricator', 'view/dialog'); phutil_require_module('phabricator', 'view/dialog');
phutil_require_module('phabricator', 'view/page/failure');
phutil_require_module('phabricator', 'view/page/standard'); phutil_require_module('phabricator', 'view/page/standard');
phutil_require_module('phutil', 'error'); phutil_require_module('phutil', 'error');

View file

@ -0,0 +1,42 @@
<?php
/*
* Copyright 2012 Facebook, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @group aphront
*/
class Aphront403Response extends AphrontWebpageResponse {
public function getHTTPResponseCode() {
return 403;
}
public function buildResponseString() {
$failure = new AphrontRequestFailureView();
$failure->setHeader('403 Forbidden');
$failure->appendChild(
'<p>You do not have privileges to access the requested page.</p>');
$view = new PhabricatorStandardPageView();
$view->setTitle('403 Forbidden');
$view->setRequest($this->getRequest());
$view->appendChild($failure);
return $view->render();
}
}

View file

@ -0,0 +1,14 @@
<?php
/**
* This file is automatically generated. Lint this module to rebuild it.
* @generated
*/
phutil_require_module('phabricator', 'aphront/response/webpage');
phutil_require_module('phabricator', 'view/page/failure');
phutil_require_module('phabricator', 'view/page/standard');
phutil_require_source('Aphront403Response.php');

View file

@ -1,7 +1,7 @@
<?php <?php
/* /*
* Copyright 2011 Facebook, Inc. * Copyright 2012 Facebook, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -19,14 +19,23 @@
/** /**
* @group aphront * @group aphront
*/ */
class Aphront404Response extends AphrontResponse { class Aphront404Response extends AphrontWebpageResponse {
public function getHTTPResponseCode() { public function getHTTPResponseCode() {
return 404; return 404;
} }
public function buildResponseString() { public function buildResponseString() {
return '404 Not Found'; $failure = new AphrontRequestFailureView();
$failure->setHeader('404 Not Found');
$failure->appendChild('<p>The page you requested was not found.</p>');
$view = new PhabricatorStandardPageView();
$view->setTitle('404 Not Found');
$view->setRequest($this->getRequest());
$view->appendChild($failure);
return $view->render();
} }
} }

View file

@ -6,7 +6,9 @@
phutil_require_module('phabricator', 'aphront/response/base'); phutil_require_module('phabricator', 'aphront/response/webpage');
phutil_require_module('phabricator', 'view/page/failure');
phutil_require_module('phabricator', 'view/page/standard');
phutil_require_source('Aphront404Response.php'); phutil_require_source('Aphront404Response.php');

View file

@ -1,7 +1,7 @@
<?php <?php
/* /*
* Copyright 2011 Facebook, Inc. * Copyright 2012 Facebook, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -83,7 +83,7 @@ abstract class PhabricatorController extends AphrontController {
} }
if ($this->shouldRequireAdmin() && !$user->getIsAdmin()) { if ($this->shouldRequireAdmin() && !$user->getIsAdmin()) {
return new Aphront404Response(); return new Aphront403Response();
} }
} }

View file

@ -8,7 +8,7 @@
phutil_require_module('phabricator', 'aphront/console/core'); phutil_require_module('phabricator', 'aphront/console/core');
phutil_require_module('phabricator', 'aphront/controller'); phutil_require_module('phabricator', 'aphront/controller');
phutil_require_module('phabricator', 'aphront/response/404'); phutil_require_module('phabricator', 'aphront/response/403');
phutil_require_module('phabricator', 'aphront/response/webpage'); phutil_require_module('phabricator', 'aphront/response/webpage');
phutil_require_module('phabricator', 'applications/people/storage/user'); phutil_require_module('phabricator', 'applications/people/storage/user');
phutil_require_module('phabricator', 'infrastructure/env'); phutil_require_module('phabricator', 'infrastructure/env');

View file

@ -1,7 +1,7 @@
<?php <?php
/* /*
* Copyright 2011 Facebook, Inc. * Copyright 2012 Facebook, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -35,7 +35,7 @@ class PhabricatorCountdownDeleteController
if (($timer->getAuthorPHID() !== $user->getPHID()) if (($timer->getAuthorPHID() !== $user->getPHID())
&& $user->getIsAdmin() === false) { && $user->getIsAdmin() === false) {
return new Aphront404Response(); return new Aphront403Response();
} }
if ($request->isFormPost()) { if ($request->isFormPost()) {

View file

@ -6,6 +6,7 @@
phutil_require_module('phabricator', 'aphront/response/403');
phutil_require_module('phabricator', 'aphront/response/404'); phutil_require_module('phabricator', 'aphront/response/404');
phutil_require_module('phabricator', 'aphront/response/dialog'); phutil_require_module('phabricator', 'aphront/response/dialog');
phutil_require_module('phabricator', 'aphront/response/redirect'); phutil_require_module('phabricator', 'aphront/response/redirect');

View file

@ -1,7 +1,7 @@
<?php <?php
/* /*
* Copyright 2011 Facebook, Inc. * Copyright 2012 Facebook, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -39,7 +39,7 @@ class PhabricatorCountdownEditController
if (($timer->getAuthorPHID() != $user->getPHID()) if (($timer->getAuthorPHID() != $user->getPHID())
&& $user->getIsAdmin() == false) { && $user->getIsAdmin() == false) {
return new Aphront404Response(); return new Aphront403Response();
} }
$action_label = 'Update Timer'; $action_label = 'Update Timer';

View file

@ -6,6 +6,7 @@
phutil_require_module('phabricator', 'aphront/response/403');
phutil_require_module('phabricator', 'aphront/response/404'); phutil_require_module('phabricator', 'aphront/response/404');
phutil_require_module('phabricator', 'aphront/response/redirect'); phutil_require_module('phabricator', 'aphront/response/redirect');
phutil_require_module('phabricator', 'applications/countdown/controller/base'); phutil_require_module('phabricator', 'applications/countdown/controller/base');

View file

@ -1,7 +1,7 @@
<?php <?php
/* /*
* Copyright 2011 Facebook, Inc. * Copyright 2012 Facebook, Inc.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -52,7 +52,7 @@ class PhabricatorFileAltViewController extends PhabricatorFileController {
} }
if (!$file->validateSecretKey($this->key)) { if (!$file->validateSecretKey($this->key)) {
return new Aphront404Response(); return new Aphront403Response();
} }
// It's safe to bypass view restrictions because we know we are being served // It's safe to bypass view restrictions because we know we are being served

View file

@ -7,6 +7,7 @@
phutil_require_module('phabricator', 'aphront/response/400'); phutil_require_module('phabricator', 'aphront/response/400');
phutil_require_module('phabricator', 'aphront/response/403');
phutil_require_module('phabricator', 'aphront/response/404'); phutil_require_module('phabricator', 'aphront/response/404');
phutil_require_module('phabricator', 'aphront/response/file'); phutil_require_module('phabricator', 'aphront/response/file');
phutil_require_module('phabricator', 'applications/files/controller/base'); phutil_require_module('phabricator', 'applications/files/controller/base');