diff options
| -rw-r--r-- | app/Http/Middleware/AuthEditor.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthManager.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthMember.php | 8 | ||||
| -rw-r--r-- | app/Http/Middleware/AuthModerator.php | 8 |
4 files changed, 23 insertions, 9 deletions
diff --git a/app/Http/Middleware/AuthEditor.php b/app/Http/Middleware/AuthEditor.php index 860161f2b0..d4aed9a241 100644 --- a/app/Http/Middleware/AuthEditor.php +++ b/app/Http/Middleware/AuthEditor.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthEditor implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); diff --git a/app/Http/Middleware/AuthManager.php b/app/Http/Middleware/AuthManager.php index bc84af5688..4390f2e0ac 100644 --- a/app/Http/Middleware/AuthManager.php +++ b/app/Http/Middleware/AuthManager.php @@ -30,6 +30,7 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use function redirect; use function route; @@ -48,13 +49,14 @@ class AuthManager implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - $user = $request->getAttribute('user'); - // Tree no longer exists? + // We've matched a tree parameter in the route, but it is private or deleted. if (!$tree instanceof Tree) { - return redirect(route(ControlPanel::class)); + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); } + $user = $request->getAttribute('user'); + // Logged in with the correct role? if (Auth::isManager($tree, $user)) { return $handler->handle($request); diff --git a/app/Http/Middleware/AuthMember.php b/app/Http/Middleware/AuthMember.php index 841ad9ac3e..8164fd9ac5 100644 --- a/app/Http/Middleware/AuthMember.php +++ b/app/Http/Middleware/AuthMember.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthMember implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); diff --git a/app/Http/Middleware/AuthModerator.php b/app/Http/Middleware/AuthModerator.php index 0f61d570fa..cc5fa1cc38 100644 --- a/app/Http/Middleware/AuthModerator.php +++ b/app/Http/Middleware/AuthModerator.php @@ -29,8 +29,8 @@ use Psr\Http\Message\ServerRequestInterface; use Psr\Http\Server\MiddlewareInterface; use Psr\Http\Server\RequestHandlerInterface; use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; -use function assert; use function redirect; use function route; @@ -48,7 +48,11 @@ class AuthModerator implements MiddlewareInterface public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface { $tree = $request->getAttribute('tree'); - assert($tree instanceof Tree); + + // We've matched a tree parameter in the route, but it is private or deleted. + if (!$tree instanceof Tree) { + throw new NotFoundHttpException(I18N::translate('You do not have permission to view this page.')); + } $user = $request->getAttribute('user'); |
