github-mirror/framework
github-mirror/framework
2
0
Fork 0
mirror of https://github.com/flarum/framework.git synced 2025-02-23 03:57:40 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Move authentication check into assertCan() method

Browse Source 
This will cause the right error (HTTP 401) to be thrown whenever
we're checking for a specific permission, but the user is not even
logged in. Authenticated users will still get HTTP 403.
This commit is contained in:
Franz Liedke 2019-08-21 23:46:00 +02:00
parent 0836d99e83
commit b60617b849
No known key found for this signature in database
GPG Key ID: 9A0231A879B055F4
3 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Api/Controller/ListUsersController.php
View File

@ -72,7 +72,6 @@ class ListUsersController extends AbstractListController
{ {
$actor = $request->getAttribute('actor'); $actor = $request->getAttribute('actor');
$this->assertRegistered($actor);
$this->assertCan($actor, 'viewUserList'); $this->assertCan($actor, 'viewUserList');
$query = Arr::get($this->extractFilter($request), 'q'); $query = Arr::get($this->extractFilter($request), 'q');

1
src/Group/Command/CreateGroupHandler.php
View File

@ -49,7 +49,6 @@ class CreateGroupHandler
$actor = $command->actor; $actor = $command->actor;
$data = $command->data; $data = $command->data;
$this->assertRegistered($actor);
$this->assertCan($actor, 'createGroup'); $this->assertCan($actor, 'createGroup');
$group = Group::build( $group = Group::build(

8
src/User/AssertPermissionTrait.php
View File

@ -55,15 +55,23 @@ trait AssertPermissionTrait
* @param User $actor * @param User $actor
* @param string $ability * @param string $ability
* @param mixed $arguments * @param mixed $arguments
* @throws NotAuthenticatedException
* @throws PermissionDeniedException * @throws PermissionDeniedException
*/ */
protected function assertCan(User $actor, $ability, $arguments = []) protected function assertCan(User $actor, $ability, $arguments = [])
{ {
// For non-authenticated users, we throw a different exception to signal
// that logging in may help.
$this->assertRegistered($actor);
// If we're logged in, then we need to communicate that the current
// account simply does not have enough permissions.
$this->assertPermission($actor->can($ability, $arguments)); $this->assertPermission($actor->can($ability, $arguments));
} }
/** /**
* @param User $actor * @param User $actor
* @throws NotAuthenticatedException
* @throws PermissionDeniedException * @throws PermissionDeniedException
*/ */
protected function assertAdmin(User $actor) protected function assertAdmin(User $actor)