Hotfix for issue that prevents form submissions due to sessions being cleared.

If submitting a form as guest, the secret tokens and captchas etc... are cleared from the session
during the check for transparent authentication.  Assume that if this form is submitted, the user
was already authenticated (or did not require authentication).

As mentioned, this is a hotfix meant to get bugs.horde.org working again for guests.
There is probably a more appropriate way to fix this, but I cannot think of any other fixes that do not
open up other security holes.

diff --git a/framework/Core/lib/Horde/Registry.php b/framework/Core/lib/Horde/Registry.php
index 3ef8f0a..f277d30 100644 (file)
--- a/framework/Core/lib/Horde/Registry.php
+++ b/framework/Core/lib/Horde/Registry.php
@@ -205,7 +205,7 @@ class Horde_Registry
         $appob->initParams = $args;
 
         try {
-            $registry->pushApp($app, array('check_perms' => ($args['authentication'] != 'none'), 'logintasks' => !$args['nologintasks']));
+            $registry->pushApp($app, array('check_perms' => ($args['authentication'] != 'none'), 'logintasks' => !$args['nologintasks'], 'notransparent' => !empty($args['notransparent'])));
 
             if ($args['admin'] && !$registry->isAdmin()) {
                 throw new Horde_Exception('Not an admin');
@@ -1157,7 +1157,7 @@ class Horde_Registry
                 throw new Horde_Exception('User is not authorized', self::AUTH_FAILURE);
             }
 
-            if (!$this->hasPermission($app, Horde_Perms::READ)) {
+            if (!$this->hasPermission($app, Horde_Perms::READ, array('notransparent' => !empty($options['notransparent'])))) {
                 if (!$this->isAuthenticated(array('app' => $app))) {
                     throw new Horde_Exception('User is not authorized', self::AUTH_FAILURE);
                 }
@@ -1281,12 +1281,12 @@ class Horde_Registry
      *
      * @return boolean  Whether access is allowed.
      */
-    public function hasPermission($app, $perms = Horde_Perms::READ)
+    public function hasPermission($app, $perms = Horde_Perms::READ, $params = array())
     {
         /* Always do isAuthenticated() check first. You can be an admin, but
          * application auth != Horde admin auth. And there can *never* be
          * non-SHOW access to an application that requires authentication. */
-        if (!$this->isAuthenticated(array('app' => $app)) &&
+        if (!$this->isAuthenticated(array('app' => $app, 'notransparent' => !empty($params['notransparent']))) &&
             $GLOBALS['injector']->getInstance('Horde_Auth')->getAuth($app)->requireAuth() &&
             ($perms != Horde_Perms::SHOW)) {
             return false;

diff --git a/whups/ticket/comment.php b/whups/ticket/comment.php
index af26ce9..89fff15 100644 (file)
--- a/whups/ticket/comment.php
+++ b/whups/ticket/comment.php
@@ -8,7 +8,13 @@
  */
 
 require_once dirname(__FILE__) . '/../lib/Application.php';
-Horde_Registry::appInit('whups');
+
+if (Horde_Util::getPost('formname') == 'addcommentform') {
+    $params = array('notransparent' => true);
+} else {
+    $params = array();
+}
+Horde_Registry::appInit('whups', $params);
 
 require_once WHUPS_BASE . '/lib/Forms/AddComment.php';