summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGreg Roach <fisharebest@webtrees.net>2019-11-14 09:22:45 +0000
committerGreg Roach <fisharebest@webtrees.net>2019-11-14 09:22:45 +0000
commit4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12 (patch)
tree5256c42821c63356b1857e77f2ff02999430d716
parent1b8d6713c6dd806c2ab085baa73c915a6ad6273f (diff)
downloadwebtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.tar.gz
webtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.tar.bz2
webtrees-4c5ad28ec4c28d07dc4c5c3aff86790e323ddc12.zip
Error handling when following links to private/deleted trees
-rw-r--r--app/Http/Middleware/AuthEditor.php8
-rw-r--r--app/Http/Middleware/AuthManager.php8
-rw-r--r--app/Http/Middleware/AuthMember.php8
-rw-r--r--app/Http/Middleware/AuthModerator.php8
4 files changed, 23 insertions, 9 deletions
diff --git a/app/Http/Middleware/AuthEditor.php b/app/Http/Middleware/AuthEditor.php
index 860161f2b0..d4aed9a241 100644
--- a/app/Http/Middleware/AuthEditor.php
+++ b/app/Http/Middleware/AuthEditor.php
@@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-use function assert;
use function redirect;
use function route;
@@ -48,7 +48,11 @@ class AuthEditor implements MiddlewareInterface
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$tree = $request->getAttribute('tree');
- assert($tree instanceof Tree);
+
+ // We've matched a tree parameter in the route, but it is private or deleted.
+ if (!$tree instanceof Tree) {
+ throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.'));
+ }
$user = $request->getAttribute('user');
diff --git a/app/Http/Middleware/AuthManager.php b/app/Http/Middleware/AuthManager.php
index bc84af5688..4390f2e0ac 100644
--- a/app/Http/Middleware/AuthManager.php
+++ b/app/Http/Middleware/AuthManager.php
@@ -30,6 +30,7 @@ use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use function redirect;
use function route;
@@ -48,13 +49,14 @@ class AuthManager implements MiddlewareInterface
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$tree = $request->getAttribute('tree');
- $user = $request->getAttribute('user');
- // Tree no longer exists?
+ // We've matched a tree parameter in the route, but it is private or deleted.
if (!$tree instanceof Tree) {
- return redirect(route(ControlPanel::class));
+ throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.'));
}
+ $user = $request->getAttribute('user');
+
// Logged in with the correct role?
if (Auth::isManager($tree, $user)) {
return $handler->handle($request);
diff --git a/app/Http/Middleware/AuthMember.php b/app/Http/Middleware/AuthMember.php
index 841ad9ac3e..8164fd9ac5 100644
--- a/app/Http/Middleware/AuthMember.php
+++ b/app/Http/Middleware/AuthMember.php
@@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-use function assert;
use function redirect;
use function route;
@@ -48,7 +48,11 @@ class AuthMember implements MiddlewareInterface
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$tree = $request->getAttribute('tree');
- assert($tree instanceof Tree);
+
+ // We've matched a tree parameter in the route, but it is private or deleted.
+ if (!$tree instanceof Tree) {
+ throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.'));
+ }
$user = $request->getAttribute('user');
diff --git a/app/Http/Middleware/AuthModerator.php b/app/Http/Middleware/AuthModerator.php
index 0f61d570fa..cc5fa1cc38 100644
--- a/app/Http/Middleware/AuthModerator.php
+++ b/app/Http/Middleware/AuthModerator.php
@@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-use function assert;
use function redirect;
use function route;
@@ -48,7 +48,11 @@ class AuthModerator implements MiddlewareInterface
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
{
$tree = $request->getAttribute('tree');
- assert($tree instanceof Tree);
+
+ // We've matched a tree parameter in the route, but it is private or deleted.
+ if (!$tree instanceof Tree) {
+ throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.'));
+ }
$user = $request->getAttribute('user');