summaryrefslogtreecommitdiff
path: root/includes/pages
diff options
context:
space:
mode:
authormsquare <msquare@notrademark.de>2019-10-13 12:59:54 +0200
committerGitHub <noreply@github.com>2019-10-13 12:59:54 +0200
commitb581da01a3dff2e6e8fbb748050442b22a4af213 (patch)
tree9bf0dcbdb372a9fc66b7273b01b4c24c0f416acf /includes/pages
parent592222c4012c833ef8d8a1503988d7e478f68a46 (diff)
parent35b820cd7de904e50bd78cee197ebd379985ec58 (diff)
Merge pull request #653 from MyIgel/403-forbidden-exports
Return 403 forbidden on shifts json, atom export and ical export if api key is missing or invalid
Diffstat (limited to 'includes/pages')
-rw-r--r--includes/pages/user_atom.php16
-rw-r--r--includes/pages/user_ical.php17
2 files changed, 19 insertions, 14 deletions
diff --git a/includes/pages/user_atom.php b/includes/pages/user_atom.php
index 8e5b4858..a491fea7 100644
--- a/includes/pages/user_atom.php
+++ b/includes/pages/user_atom.php
@@ -1,6 +1,7 @@
<?php
use Engelsystem\Database\DB;
+use Engelsystem\Http\Exceptions\HttpForbidden;
/**
* Publically available page to feed the news to feed readers
@@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
function user_atom()
{
$request = request();
+ $user = auth()->apiUser('key');
- if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
- engelsystem_error('Missing key.');
+ if (
+ !$request->has('key')
+ || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+ || empty($user)
+ ) {
+ throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
}
- $user = auth()->apiUser('key');
- if (empty($user)) {
- engelsystem_error('Key invalid.');
- }
if (!auth()->can('atom')) {
- engelsystem_error('No privilege for atom.');
+ throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
}
$news = DB::select('
diff --git a/includes/pages/user_ical.php b/includes/pages/user_ical.php
index ee3a8340..2f3a7ccc 100644
--- a/includes/pages/user_ical.php
+++ b/includes/pages/user_ical.php
@@ -1,22 +1,25 @@
<?php
+use Engelsystem\Http\Exceptions\HttpForbidden;
+
/**
* Controller for ical output of users own shifts or any user_shifts filter.
*/
function user_ical()
{
$request = request();
+ $user = auth()->apiUser('key');
- if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
- engelsystem_error('Missing key.');
+ if (
+ !$request->has('key')
+ || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+ || !$user
+ ) {
+ throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
}
- $user = auth()->apiUser('key');
- if (!$user) {
- engelsystem_error('Key invalid.');
- }
if (!auth()->can('ical')) {
- engelsystem_error('No privilege for ical.');
+ throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
}
$ical_shifts = load_ical_shifts();