liquid_feedback_frontend
view app/main/_filter/21_auth.lua @ 1109:498d655dbc18
Added missing access control for member profile images
| author | bsw |
|---|---|
| date | Mon Nov 10 18:52:33 2014 +0100 (2014-11-10) |
| parents | 2d69cc034132 |
| children | b9364e1b7994 |
line source
1 local module = request.get_module()
2 local view = request.get_view()
3 local action = request.get_action()
5 local auth_needed = not (
6 module == 'index'
7 and (
8 view == "login"
9 or action == "login"
10 or view == "register"
11 or action == "register"
12 or action == "cancel_register"
13 or view == "about"
14 or view == "reset_password"
15 or action == "reset_password"
16 or view == "send_login"
17 or action == "send_login"
18 or view == "confirm_notify_email"
19 or action == "confirm_notify_email"
20 or view == "menu"
21 or action == "set_lang"
22 or view == "404"
23 )
24 )
26 if app.session:has_access("anonymous") then
28 if
29 module == "index" and view == "index"
30 or module == "area" and view == "show"
31 or module == "unit" and view == "show"
32 or module == "policy" and view == "show"
33 or module == "policy" and view == "list"
34 or module == "issue" and view == "show"
35 or module == "issue" and view == "history"
36 or module == "initiative" and view == "show"
37 or module == "initiative" and view == "history"
38 or module == "suggestion" and view == "show"
39 or module == "draft" and view == "diff"
40 or module == "draft" and view == "show"
41 or module == "index" and view == "search"
42 or module == "index" and view == "usage_terms"
43 then
44 auth_needed = false
45 end
47 end
49 if app.session:has_access("authors_pseudonymous") then
50 if module == "member_image" and view == "show" and param.get("image_type") == "avatar" then
51 auth_needed = false
52 end
53 end
55 if app.session:has_access("everything") then
56 if module == "member_image" and view == "show" then
57 auth_needed = false
58 end
59 end
61 if app.session:has_access("all_pseudonymous") then
62 if module == "vote" and view == "show_incoming"
63 or module == "member" and view == "list"
64 or module == "interest" and view == "show_incoming"
65 or module == "vote" and view == "list" then
66 auth_needed = false
67 end
68 end
70 if app.session:has_access("everything") then
71 if module == "member" and (view == "show" or view == "history") then
72 auth_needed = false
73 end
74 end
76 if module == "sitemap" then
77 auth_needed = false
78 end
80 if app.session:has_access("anonymous") and not app.session.member_id and auth_needed and module == "index" and view == "index" then
81 if config.single_unit_id then
82 request.redirect{ module = "unit", view = "show", id = config.single_unit_id }
83 else
84 request.redirect{ module = "unit", view = "list" }
85 end
86 return
87 end
89 -- if not app.session.user_id then
90 -- trace.debug("DEBUG: AUTHENTICATION BYPASS ENABLED")
91 -- app.session.user_id = 1
92 -- end
94 if auth_needed and app.session.member == nil then
95 trace.debug("Not authenticated yet.")
96 request.redirect{
97 module = 'index', view = 'login', params = {
98 redirect_module = module,
99 redirect_view = view,
100 redirect_id = param.get_id()
101 }
102 }
103 elseif auth_needed and app.session.member.locked then
104 trace.debug("Member locked.")
105 request.redirect{ module = 'index', view = 'login' }
106 else
107 if config.check_delegations_interval_hard and app.session.member_id and app.session.needs_delegation_check
108 and not (module == "admin" or (module == "index" and (
109 view == "check_delegations"
110 or action == "check_delegations"
111 or action == "logout"
112 or view == "about"
113 or view == "usage_terms"
114 or action == "set_lang")
115 ))
116 and not (module == "member_image" and view == "show") then
117 request.redirect{ module = 'index', view = 'check_delegations' }
118 return
119 end
120 if auth_needed then
121 trace.debug("Authentication accepted.")
122 else
123 trace.debug("No authentication needed.")
124 end
126 --db:query("SELECT check_everything()")
128 execute.inner()
129 trace.debug("End of authentication filter.")
130 end