liquid_feedback_frontend

annotate app/main/_filter/21_auth.lua @ 1109:498d655dbc18

find changesets by author, revision, files, or words in the commit message
Added missing access control for member profile images
author bsw
date Mon Nov 10 18:52:33 2014 +0100 (2014-11-10)
parents 2d69cc034132
children b9364e1b7994
rev   line source
bsw@725 1 local module = request.get_module()
bsw@725 2 local view = request.get_view()
bsw@725 3 local action = request.get_action()
bsw@725 4
bsw/jbe@0 5 local auth_needed = not (
bsw@725 6 module == 'index'
bsw/jbe@0 7 and (
bsw@1045 8 view == "login"
bsw@725 9 or action == "login"
bsw@725 10 or view == "register"
bsw@725 11 or action == "register"
bsw@1071 12 or action == "cancel_register"
bsw@725 13 or view == "about"
bsw@725 14 or view == "reset_password"
bsw@725 15 or action == "reset_password"
bsw@989 16 or view == "send_login"
bsw@989 17 or action == "send_login"
bsw@725 18 or view == "confirm_notify_email"
bsw@725 19 or action == "confirm_notify_email"
bsw@725 20 or view == "menu"
bsw@725 21 or action == "set_lang"
bsw@929 22 or view == "404"
bsw/jbe@0 23 )
bsw/jbe@0 24 )
bsw/jbe@0 25
bsw@813 26 if app.session:has_access("anonymous") then
bsw@51 27
bsw@51 28 if
bsw@1045 29 module == "index" and view == "index"
bsw@1045 30 or module == "area" and view == "show"
bsw@725 31 or module == "unit" and view == "show"
bsw@725 32 or module == "policy" and view == "show"
bsw@725 33 or module == "policy" and view == "list"
bsw@725 34 or module == "issue" and view == "show"
bsw@1086 35 or module == "issue" and view == "history"
bsw@725 36 or module == "initiative" and view == "show"
bsw@1045 37 or module == "initiative" and view == "history"
bsw@725 38 or module == "suggestion" and view == "show"
bsw@725 39 or module == "draft" and view == "diff"
bsw@725 40 or module == "draft" and view == "show"
bsw@725 41 or module == "index" and view == "search"
bsw@767 42 or module == "index" and view == "usage_terms"
bsw@51 43 then
bsw@51 44 auth_needed = false
bsw@51 45 end
bsw@51 46
bsw@51 47 end
bsw@51 48
bsw@1045 49 if app.session:has_access("authors_pseudonymous") then
bsw@1109 50 if module == "member_image" and view == "show" and param.get("image_type") == "avatar" then
bsw@1109 51 auth_needed = false
bsw@1109 52 end
bsw@1109 53 end
bsw@1109 54
bsw@1109 55 if app.session:has_access("everything") then
bsw@1045 56 if module == "member_image" and view == "show" then
bsw@1045 57 auth_needed = false
bsw@1045 58 end
bsw@1045 59 end
bsw@1045 60
bsw@813 61 if app.session:has_access("all_pseudonymous") then
bsw@1045 62 if module == "vote" and view == "show_incoming"
bsw@1045 63 or module == "member" and view == "list"
bsw@725 64 or module == "interest" and view == "show_incoming"
bsw@884 65 or module == "vote" and view == "list" then
bsw@527 66 auth_needed = false
bsw@527 67 end
bsw@527 68 end
bsw@527 69
bsw@813 70 if app.session:has_access("everything") then
bsw@884 71 if module == "member" and (view == "show" or view == "history") then
bsw@813 72 auth_needed = false
bsw@813 73 end
bsw@813 74 end
bsw@813 75
bsw@725 76 if module == "sitemap" then
bsw@75 77 auth_needed = false
bsw@75 78 end
bsw@75 79
bsw@813 80 if app.session:has_access("anonymous") and not app.session.member_id and auth_needed and module == "index" and view == "index" then
bsw@308 81 if config.single_unit_id then
bsw@308 82 request.redirect{ module = "unit", view = "show", id = config.single_unit_id }
bsw@308 83 else
bsw@272 84 request.redirect{ module = "unit", view = "list" }
bsw@272 85 end
bsw@51 86 return
bsw@51 87 end
bsw@51 88
bsw/jbe@0 89 -- if not app.session.user_id then
bsw/jbe@0 90 -- trace.debug("DEBUG: AUTHENTICATION BYPASS ENABLED")
bsw/jbe@0 91 -- app.session.user_id = 1
bsw/jbe@0 92 -- end
bsw/jbe@0 93
bsw/jbe@0 94 if auth_needed and app.session.member == nil then
bsw/jbe@0 95 trace.debug("Not authenticated yet.")
bsw@411 96 request.redirect{
bsw@411 97 module = 'index', view = 'login', params = {
bsw@725 98 redirect_module = module,
bsw@725 99 redirect_view = view,
bsw@411 100 redirect_id = param.get_id()
bsw@411 101 }
bsw@411 102 }
bsw/jbe@0 103 elseif auth_needed and app.session.member.locked then
bsw/jbe@0 104 trace.debug("Member locked.")
bsw/jbe@0 105 request.redirect{ module = 'index', view = 'login' }
bsw/jbe@0 106 else
bsw@988 107 if config.check_delegations_interval_hard and app.session.member_id and app.session.needs_delegation_check
bsw@988 108 and not (module == "admin" or (module == "index" and (
bsw@988 109 view == "check_delegations"
bsw@988 110 or action == "check_delegations"
bsw@988 111 or action == "logout"
bsw@988 112 or view == "about"
bsw@988 113 or view == "usage_terms"
bsw@988 114 or action == "set_lang")
bsw@988 115 ))
bsw@988 116 and not (module == "member_image" and view == "show") then
bsw@988 117 request.redirect{ module = 'index', view = 'check_delegations' }
bsw@988 118 return
bsw@988 119 end
bsw/jbe@0 120 if auth_needed then
bsw/jbe@0 121 trace.debug("Authentication accepted.")
bsw/jbe@0 122 else
bsw/jbe@0 123 trace.debug("No authentication needed.")
bsw/jbe@0 124 end
bsw/jbe@0 125
bsw/jbe@0 126 --db:query("SELECT check_everything()")
bsw/jbe@0 127
bsw/jbe@0 128 execute.inner()
bsw/jbe@0 129 trace.debug("End of authentication filter.")
bsw/jbe@0 130 end
bsw/jbe@0 131

Impressum / About Us