summaryrefslogtreecommitdiff
path: root/includes/controller
diff options
context:
space:
mode:
authormsquare <msquare@notrademark.de>2019-10-13 12:59:54 +0200
committerGitHub <noreply@github.com>2019-10-13 12:59:54 +0200
commitb581da01a3dff2e6e8fbb748050442b22a4af213 (patch)
tree9bf0dcbdb372a9fc66b7273b01b4c24c0f416acf /includes/controller
parent592222c4012c833ef8d8a1503988d7e478f68a46 (diff)
parent35b820cd7de904e50bd78cee197ebd379985ec58 (diff)
Merge pull request #653 from MyIgel/403-forbidden-exports
Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
Diffstat (limited to 'includes/controller')
-rw-r--r--includes/controller/shifts_controller.php16
1 files changed, 9 insertions, 7 deletions
diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index caf124ba..726814cf 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -1,5 +1,6 @@
<?php
+use Engelsystem\Http\Exceptions\HttpForbidden;
use Engelsystem\ShiftSignupState;
/**
@@ -348,17 +349,18 @@ function shift_next_controller()
function shifts_json_export_controller()
{
$request = request();
+ $user = auth()->apiUser('key');
- if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
- engelsystem_error('Missing key.');
+ if (
+ !$request->has('key')
+ || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+ || !$user
+ ) {
+ throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
}
- $user = auth()->apiUser('key');
- if (!$user) {
- engelsystem_error('Key invalid.');
- }
if (!auth()->can('shifts_json_export')) {
- engelsystem_error('No privilege for shifts_json_export.');
+ throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
}
$shifts = load_ical_shifts();