diff options
| author | Malf Furious <m@lfurio.us> | 2018-10-23 20:40:49 -0400 |
|---|---|---|
| committer | Malf Furious <m@lfurio.us> | 2018-10-23 20:40:49 -0400 |
| commit | 1449564793347f4e34f433f4620834e9c6db290f (patch) | |
| tree | 5075e4cec732d998bb40bca525dc354c5bb7247c | |
| parent | 9733a06af32e6b409558795f69f89b7c59487a55 (diff) | |
| download | scrott-1449564793347f4e34f433f4620834e9c6db290f.tar.gz scrott-1449564793347f4e34f433f4620834e9c6db290f.zip | |
Fix bug in various form handlers
Some form handlers use the current logged in user (user::getCurrent()),
however do so without asserting that we are _actually_ logged in. This
is probably due to that fact that index.php (usually) catches all page
requests that are logged out and diverts control before any other handler
can be invoked. But a few handlers sneak through the cracks.
In the future, the app will be better about supportting logged out
browsing, the alpha was not written with this in the forground.
Signed-off-by: Malf Furious <m@lfurio.us>
| -rw-r--r-- | app/model/datamods.php | 22 | ||||
| -rw-r--r-- | app/model/deleteaccount.php | 6 |
2 files changed, 24 insertions, 4 deletions
diff --git a/app/model/datamods.php b/app/model/datamods.php index c7c7da1..e2051f3 100644 --- a/app/model/datamods.php +++ b/app/model/datamods.php @@ -32,7 +32,13 @@ if (isAction("dm-group-add")) if (!$form->populate(input())) return; - $group = group::initNew($form->name, user::getCurrent()); + if (!($user = user::getCurrent())) + { + logError(ERROR, "You must be logged in to create a group"); + return; + } + + $group = group::initNew($form->name, $user); } /* @@ -48,7 +54,12 @@ if (isAction("dm-pad-add")) return; $owner = agent::getAgentObj($form->owner); - $user = user::getCurrent(); + + if (!($user = user::getCurrent())) + { + logError(ERROR, "You must be logged in to create a pad"); + return; + } if (!$user->canCreateSub($owner)) { @@ -78,7 +89,12 @@ if (isAction("dm-issue-add")) return; $pad = new pad($form->pad); - $user = user::getCurrent(); + + if (!($user = user::getCurrent())) + { + logError(ERROR, "You must be logged in to open an issue"); + return; + } if (!$user->canCreateSub($pad)) { diff --git a/app/model/deleteaccount.php b/app/model/deleteaccount.php index 8153f0f..d83537e 100644 --- a/app/model/deleteaccount.php +++ b/app/model/deleteaccount.php @@ -26,7 +26,11 @@ if (isAction("deleteaccount")) if (!$form->populate(input())) return; - $user = user::getCurrent(); + if (!($user = user::getCurrent())) + { + logError(ERROR, "You must be logged in to close your account"); + return; + } if (!$user->validatePasswd($form->passwd)) { |