liquid_feedback_frontend
view app/main/_filter/21_auth.lua @ 1111:5b77825ecfa6
Backported missing access control for member profile images from version 3.0.3
| author | bsw |
|---|---|
| date | Mon Nov 10 18:54:34 2014 +0100 (2014-11-10) |
| parents | 5a712ec1a7f1 |
| children | b9364e1b7994 |
line source
1 local module = request.get_module()
2 local view = request.get_view()
3 local action = request.get_action()
5 local auth_needed = not (
6 module == 'index'
7 and (
8 view == "index"
9 or view == "login"
10 or action == "login"
11 or view == "register"
12 or action == "register"
13 or view == "about"
14 or view == "reset_password"
15 or action == "reset_password"
16 or view == "send_login"
17 or action == "send_login"
18 or view == "confirm_notify_email"
19 or action == "confirm_notify_email"
20 or view == "menu"
21 or action == "set_lang"
22 or view == "404"
23 )
24 )
26 if app.session:has_access("anonymous") then
28 if
29 module == "area" and view == "show"
30 or module == "unit" and view == "show"
31 or module == "policy" and view == "show"
32 or module == "policy" and view == "list"
33 or module == "issue" and view == "show"
34 or module == "initiative" and view == "show"
35 or module == "suggestion" and view == "show"
36 or module == "draft" and view == "diff"
37 or module == "draft" and view == "show"
38 or module == "draft" and view == "list"
39 or module == "index" and view == "search"
40 or module == "index" and view == "usage_terms"
41 then
42 auth_needed = false
43 end
45 end
47 if app.session:has_access("authors_pseudonymous") then
48 if module == "member_image" and view == "show" and param.get("image_type") == "avatar" then
49 auth_needed = false
50 end
51 end
53 if app.session:has_access("everything") then
54 if module == "member_image" and view == "show" then
55 auth_needed = false
56 end
57 end
59 if app.session:has_access("all_pseudonymous") then
60 if module == "vote" and view == "show_incoming"
61 or module == "interest" and view == "show_incoming"
62 or module == "supporter" and view == "show_incoming"
63 or module == "vote" and view == "list" then
64 auth_needed = false
65 end
66 end
68 if app.session:has_access("everything") then
69 if module == "member" and (view == "show" or view == "history") then
70 auth_needed = false
71 end
72 end
74 if module == "sitemap" then
75 auth_needed = false
76 end
78 if app.session:has_access("anonymous") and not app.session.member_id and auth_needed and module == "index" and view == "index" then
79 if config.single_unit_id then
80 request.redirect{ module = "unit", view = "show", id = config.single_unit_id }
81 else
82 request.redirect{ module = "unit", view = "list" }
83 end
84 return
85 end
87 -- if not app.session.user_id then
88 -- trace.debug("DEBUG: AUTHENTICATION BYPASS ENABLED")
89 -- app.session.user_id = 1
90 -- end
92 if auth_needed and app.session.member == nil then
93 trace.debug("Not authenticated yet.")
94 request.redirect{
95 module = 'index', view = 'login', params = {
96 redirect_module = module,
97 redirect_view = view,
98 redirect_id = param.get_id()
99 }
100 }
101 elseif auth_needed and app.session.member.locked then
102 trace.debug("Member locked.")
103 request.redirect{ module = 'index', view = 'login' }
104 else
105 if config.check_delegations_interval_hard and app.session.member_id and app.session.needs_delegation_check
106 and not (module == "admin" or (module == "index" and (
107 view == "check_delegations"
108 or action == "check_delegations"
109 or action == "logout"
110 or view == "about"
111 or view == "usage_terms"
112 or action == "set_lang")
113 ))
114 and not (module == "member_image" and view == "show") then
115 request.redirect{ module = 'index', view = 'check_delegations' }
116 return
117 end
118 if auth_needed then
119 trace.debug("Authentication accepted.")
120 else
121 trace.debug("No authentication needed.")
122 end
124 --db:query("SELECT check_everything()")
126 execute.inner()
127 trace.debug("End of authentication filter.")
128 end