diff options
| author | msquare <msquare@notrademark.de> | 2019-10-13 12:59:54 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-10-13 12:59:54 +0200 |
| commit | b581da01a3dff2e6e8fbb748050442b22a4af213 (patch) | |
| tree | 9bf0dcbdb372a9fc66b7273b01b4c24c0f416acf /includes/controller | |
| parent | 592222c4012c833ef8d8a1503988d7e478f68a46 (diff) | |
| parent | 35b820cd7de904e50bd78cee197ebd379985ec58 (diff) | |
Merge pull request #653 from MyIgel/403-forbidden-exports
Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
Diffstat (limited to 'includes/controller')
| -rw-r--r-- | includes/controller/shifts_controller.php | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php index caf124ba..726814cf 100644 --- a/includes/controller/shifts_controller.php +++ b/includes/controller/shifts_controller.php @@ -1,5 +1,6 @@ <?php +use Engelsystem\Http\Exceptions\HttpForbidden; use Engelsystem\ShiftSignupState; /** @@ -348,17 +349,18 @@ function shift_next_controller() function shifts_json_export_controller() { $request = request(); + $user = auth()->apiUser('key'); - if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) { - engelsystem_error('Missing key.'); + if ( + !$request->has('key') + || !preg_match('/^[\da-f]{32}$/', $request->input('key')) + || !$user + ) { + throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']); } - $user = auth()->apiUser('key'); - if (!$user) { - engelsystem_error('Key invalid.'); - } if (!auth()->can('shifts_json_export')) { - engelsystem_error('No privilege for shifts_json_export.'); + throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']); } $shifts = load_ical_shifts(); |