liquid_feedback_frontend
view app/main/_filter/21_auth.lua @ 1540:b0b557858fd8
Fixed access to non-existing session object in auth filter
| author | bsw |
|---|---|
| date | Tue Oct 20 17:58:07 2020 +0200 (2020-10-20) |
| parents | 17e7082c377a |
| children | 1eaea27130bc |
line source
1 local module = request.get_module()
2 local view = request.get_view()
3 local action = request.get_action()
5 local auth_needed = true
7 if module == 'index' and (
8 view == 'index'
9 or view == "login"
10 or action == "login"
11 or view == "register"
12 or action == "register"
13 or action == "cancel_register"
14 or view == "about"
15 or view == "reset_password"
16 or action == "reset_password"
17 or view == "send_login"
18 or action == "send_login"
19 or view == "confirm_notify_email"
20 or action == "confirm_notify_email"
21 or view == "menu"
22 or action == "set_lang"
23 or view == "403"
24 or view == "404"
25 or view == "405"
26 ) then
27 auth_needed = false
28 end
30 if module == "registration" then
31 auth_needed = false
32 end
34 if module == "style" then
35 auth_needed = false
36 end
38 if module == "help" then
39 auth_needed = false
40 end
42 if module == "oauth2" and (
43 view == "validate"
44 or view == "token"
45 or view == "session"
46 or view == "register"
47 ) then
48 auth_needed = false
49 end
51 if module == "oauth2_client" then
52 auth_needed = false
53 end
55 if module == "api" then
56 auth_needed = false
57 end
59 if app.session then
61 if app.session:has_access("anonymous") then
63 if
64 module == "index" and view == "index"
65 or module == "area" and view == "show"
66 or module == "unit" and view == "show"
67 or module == "policy" and view == "show"
68 or module == "policy" and view == "list"
69 or module == "issue" and view == "show"
70 or module == "issue" and view == "history"
71 or module == "initiative" and view == "show"
72 or module == "initiative" and view == "history"
73 or module == "suggestion" and view == "show"
74 or module == "draft" and view == "diff"
75 or module == "draft" and view == "show"
76 or module == "file" and view == "show.jpg"
77 or module == "index" and view == "search"
78 or module == "index" and view == "usage_terms"
79 or module == "help" and view == "introduction"
80 or module == "style"
81 then
82 auth_needed = false
83 end
85 end
87 if app.session:has_access("authors_pseudonymous") then
88 if module == "member_image" and view == "show" and param.get("image_type") == "avatar" then
89 auth_needed = false
90 end
91 end
93 if app.session:has_access("everything") then
94 if module == "member_image" and view == "show" then
95 auth_needed = false
96 end
97 end
99 if app.session:has_access("all_pseudonymous") then
100 if module == "vote" and view == "show_incoming"
101 or module == "member" and view == "list"
102 or module == "interest" and view == "show_incoming"
103 or module == "vote" and view == "list" then
104 auth_needed = false
105 end
106 end
108 if app.session:has_access("everything") then
109 if module == "member" and (view == "show" or view == "history") then
110 auth_needed = false
111 end
112 end
114 if app.session:has_access("anonymous") and not app.session.member_id and auth_needed and module == "index" and view == "index" then
115 if config.single_unit_id then
116 request.redirect{ module = "unit", view = "show", id = config.single_unit_id }
117 else
118 request.redirect{ module = "unit", view = "list" }
119 end
120 return
121 end
123 end
125 -- if not app.session.user_id then
126 -- trace.debug("DEBUG: AUTHENTICATION BYPASS ENABLED")
127 -- app.session.user_id = 1
128 -- end
130 if auth_needed and not app.session or not app.session.member then
131 trace.debug("Not authenticated yet.")
132 local params = json.object()
133 for key, val in pairs(request.get_param_strings()) do
134 if type(val) == "string" then
135 params[key] = val
136 else
137 -- shouldn't happen
138 error("array type params not implemented")
139 end
140 end
141 request.redirect{
142 module = 'index', view = 'login', params = {
143 redirect_module = module,
144 redirect_view = view,
145 redirect_id = param.get_id(),
146 redirect_params = params
147 }
148 }
149 elseif auth_needed and app.session.member.locked then
150 trace.debug("Member locked.")
151 request.redirect{ module = 'index', view = 'login' }
152 elseif app.session then
153 if config.check_delegations_interval_hard and app.session.member_id and app.session.needs_delegation_check
154 and not (module == "admin" or (module == "index" and (
155 view == "check_delegations"
156 or action == "check_delegations"
157 or action == "logout"
158 or view == "about"
159 or view == "usage_terms"
160 or action == "set_lang")
161 ))
162 and not (module == "member_image" and view == "show") then
163 request.redirect{ module = 'index', view = 'check_delegations' }
164 return
165 end
166 if auth_needed then
167 trace.debug("Authentication accepted.")
168 else
169 trace.debug("No authentication needed.")
170 end
172 --db:query("SELECT check_everything()")
174 execute.inner()
175 trace.debug("End of authentication filter.")
176 end