Deny access to protected albums and their contents.

2010-11-07 13:10:01 +08:00 · 2010-11-07 13:10:01 +08:00 · 73ebd81bc1
commit 73ebd81bc1
parent 63873f96cd
2 changed files with 114 additions and 0 deletions
--- a/3.0/modules/albumpassword/helpers/MY_access.php
+++ b/3.0/modules/albumpassword/helpers/MY_access.php
@ -0,0 +1,57 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2010 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+class access extends access_Core {
+  static function required($perm_name, $item) {
+    // Original code from the required function in modules/gallery/helpers/access.php.
+    if (!self::can($perm_name, $item)) {
+      if ($perm_name == "view") {
+        // Treat as if the item didn't exist, don't leak any information.
+        throw new Kohana_404_Exception();
+      } else {
+        self::forbidden();
+      }
+    // Begin rWatcher modifications.
+    //   This section adds an additional condition onto the view permission that throws a 404
+    //   error if the album has a password assigned.
+    } elseif ($perm_name == "view") {
+      $album_item = "";
+      do {
+        if ($album_item == "") {
+          if ($item->is_album()) {
+            $album_item = $item;
+          } else {
+            $album_item = $item->parent();
+          }
+        } else {
+          $album_item = $album_item->parent();
+        }		
+	  
+        $existing_password = ORM::factory("items_albumpassword")->where("album_id", "=", $album_item->id)->find();
+        if ($existing_password->loaded()) {
+          if ((cookie::get("g3_albumpassword") != $existing_password->password) &&
+              (identity::active_user()->id != $album_item->owner_id)) {
+            throw new Kohana_404_Exception();
+          }
+        }
+      } while ($album_item->parent_id > 0);
+    }
+  }
+}
--- a/3.1/modules/albumpassword/helpers/MY_access.php
+++ b/3.1/modules/albumpassword/helpers/MY_access.php
@ -0,0 +1,57 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2010 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+class access extends access_Core {
+  static function required($perm_name, $item) {
+    // Original code from the required function in modules/gallery/helpers/access.php.
+    if (!self::can($perm_name, $item)) {
+      if ($perm_name == "view") {
+        // Treat as if the item didn't exist, don't leak any information.
+        throw new Kohana_404_Exception();
+      } else {
+        self::forbidden();
+      }
+    // Begin rWatcher modifications.
+    //   This section adds an additional condition onto the view permission that throws a 404
+    //   error if the album has a password assigned.
+    } elseif ($perm_name == "view") {
+      $album_item = "";
+      do {
+        if ($album_item == "") {
+          if ($item->is_album()) {
+            $album_item = $item;
+          } else {
+            $album_item = $item->parent();
+          }
+        } else {
+          $album_item = $album_item->parent();
+        }		
+	  
+        $existing_password = ORM::factory("items_albumpassword")->where("album_id", "=", $album_item->id)->find();
+        if ($existing_password->loaded()) {
+          if ((cookie::get("g3_albumpassword") != $existing_password->password) &&
+              (identity::active_user()->id != $album_item->owner_id)) {
+            throw new Kohana_404_Exception();
+          }
+        }
+      } while ($album_item->parent_id > 0);
+    }
+  }
+}