diff options
| author | Greg Roach <fisharebest@webtrees.net> | 2019-11-14 09:22:45 +0000 |
|---|---|---|
| committer | Greg Roach <fisharebest@webtrees.net> | 2019-11-14 09:22:45 +0000 |
| commit | 4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12 (patch) | |
| tree | 5256c42821c63356b1857e77f2ff02999430d716 | |
| parent | 1b8d6713c6dd806c2ab085baa73c915a6ad6273f (diff) | |
| download | webtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.tar.gz webtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.tar.bz2 webtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.zip | |
Error handling when following links to private/deleted trees
| -rw-r--r-- | app/Http/Middleware/AuthEditor.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthManager.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthMember.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthModerator.php | 8 |
4 files changed, 23 insertions, 9 deletions
diff --git a/app/Http/Middleware/AuthEditor.php b/app/Http/Middleware/AuthEditor.php index 860161f2b0..d4aed9a241 100644 --- a/app/Http/Middleware/AuthEditor.php +++ b/app/Http/Middleware/AuthEditor.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthEditor implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); diff --git a/app/Http/Middleware/AuthManager.php b/app/Http/Middleware/AuthManager.php index bc84af5688..4390f2e0ac 100644 --- a/app/Http/Middleware/AuthManager.php +++ b/app/Http/Middleware/AuthManager.php @@ -30,6 +30,7 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use function redirect; use function route; @@ -48,13 +49,14 @@ class AuthManager implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - $user = $request->getAttribute('user'); - // Tree no longer exists? + // We've matched a tree parameter in the route, but it is private or deleted. if (!$tree instanceof Tree) { - return redirect(route(ControlPanel::class)); + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); } + $user = $request->getAttribute('user'); + // Logged in with the correct role? if (Auth::isManager($tree, $user)) { return $handler->handle($request); diff --git a/app/Http/Middleware/AuthMember.php b/app/Http/Middleware/AuthMember.php index 841ad9ac3e..8164fd9ac5 100644 --- a/app/Http/Middleware/AuthMember.php +++ b/app/Http/Middleware/AuthMember.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthMember implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); diff --git a/app/Http/Middleware/AuthModerator.php b/app/Http/Middleware/AuthModerator.php index 0f61d570fa..cc5fa1cc38 100644 --- a/app/Http/Middleware/AuthModerator.php +++ b/app/Http/Middleware/AuthModerator.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthModerator implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); |
