From 1449564793347f4e34f433f4620834e9c6db290f Mon Sep 17 00:00:00 2001
From: Malf Furious <m@lfurio.us>
Date: Tue, 23 Oct 2018 20:40:49 -0400
Subject: Fix bug in various form handlers

Some form handlers use the current logged in user (user::getCurrent()),
however do so without asserting that we are _actually_ logged in.  This
is probably due to that fact that index.php (usually) catches all page
requests that are logged out and diverts control before any other handler
can be invoked.  But a few handlers sneak through the cracks.

In the future, the app will be better about supportting logged out
browsing, the alpha was not written with this in the forground.

Signed-off-by: Malf Furious <m@lfurio.us>
---
 app/model/datamods.php      | 22 +++++++++++++++++++---
 app/model/deleteaccount.php |  6 +++++-
 2 files changed, 24 insertions(+), 4 deletions(-)

(limited to 'app/model')

diff --git a/app/model/datamods.php b/app/model/datamods.php
index c7c7da1..e2051f3 100644
--- a/app/model/datamods.php
+++ b/app/model/datamods.php
@@ -32,7 +32,13 @@ if (isAction("dm-group-add"))
     if (!$form->populate(input()))
         return;
 
-    $group = group::initNew($form->name, user::getCurrent());
+    if (!($user = user::getCurrent()))
+    {
+        logError(ERROR, "You must be logged in to create a group");
+        return;
+    }
+
+    $group = group::initNew($form->name, $user);
 }
 
 /*
@@ -48,7 +54,12 @@ if (isAction("dm-pad-add"))
         return;
 
     $owner = agent::getAgentObj($form->owner);
-    $user = user::getCurrent();
+
+    if (!($user = user::getCurrent()))
+    {
+        logError(ERROR, "You must be logged in to create a pad");
+        return;
+    }
 
     if (!$user->canCreateSub($owner))
     {
@@ -78,7 +89,12 @@ if (isAction("dm-issue-add"))
         return;
 
     $pad  = new pad($form->pad);
-    $user = user::getCurrent();
+
+    if (!($user = user::getCurrent()))
+    {
+        logError(ERROR, "You must be logged in to open an issue");
+        return;
+    }
 
     if (!$user->canCreateSub($pad))
     {
diff --git a/app/model/deleteaccount.php b/app/model/deleteaccount.php
index 8153f0f..d83537e 100644
--- a/app/model/deleteaccount.php
+++ b/app/model/deleteaccount.php
@@ -26,7 +26,11 @@ if (isAction("deleteaccount"))
     if (!$form->populate(input()))
         return;
 
-    $user = user::getCurrent();
+    if (!($user = user::getCurrent()))
+    {
+        logError(ERROR, "You must be logged in to close your account");
+        return;
+    }
 
     if (!$user->validatePasswd($form->passwd))
     {
-- 
cgit v1.2.3