From: Michael J. Rubinsky Date: Sun, 15 Aug 2010 18:05:12 +0000 (-0400) Subject: Hotfix for issue that prevents form submissions due to sessions being cleared. X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=ac22a6e2d2a9797eb4b378882194af1025b03d00;p=horde.git Hotfix for issue that prevents form submissions due to sessions being cleared. If submitting a form as guest, the secret tokens and captchas etc... are cleared from the session during the check for transparent authentication. Assume that if this form is submitted, the user was already authenticated (or did not require authentication). As mentioned, this is a hotfix meant to get bugs.horde.org working again for guests. There is probably a more appropriate way to fix this, but I cannot think of any other fixes that do not open up other security holes. --- diff --git a/framework/Core/lib/Horde/Registry.php b/framework/Core/lib/Horde/Registry.php index 3ef8f0a43..f277d30db 100644 --- a/framework/Core/lib/Horde/Registry.php +++ b/framework/Core/lib/Horde/Registry.php @@ -205,7 +205,7 @@ class Horde_Registry $appob->initParams = $args; try { - $registry->pushApp($app, array('check_perms' => ($args['authentication'] != 'none'), 'logintasks' => !$args['nologintasks'])); + $registry->pushApp($app, array('check_perms' => ($args['authentication'] != 'none'), 'logintasks' => !$args['nologintasks'], 'notransparent' => !empty($args['notransparent']))); if ($args['admin'] && !$registry->isAdmin()) { throw new Horde_Exception('Not an admin'); @@ -1157,7 +1157,7 @@ class Horde_Registry throw new Horde_Exception('User is not authorized', self::AUTH_FAILURE); } - if (!$this->hasPermission($app, Horde_Perms::READ)) { + if (!$this->hasPermission($app, Horde_Perms::READ, array('notransparent' => !empty($options['notransparent'])))) { if (!$this->isAuthenticated(array('app' => $app))) { throw new Horde_Exception('User is not authorized', self::AUTH_FAILURE); } @@ -1281,12 +1281,12 @@ class Horde_Registry * * @return boolean Whether access is allowed. */ - public function hasPermission($app, $perms = Horde_Perms::READ) + public function hasPermission($app, $perms = Horde_Perms::READ, $params = array()) { /* Always do isAuthenticated() check first. You can be an admin, but * application auth != Horde admin auth. And there can *never* be * non-SHOW access to an application that requires authentication. */ - if (!$this->isAuthenticated(array('app' => $app)) && + if (!$this->isAuthenticated(array('app' => $app, 'notransparent' => !empty($params['notransparent']))) && $GLOBALS['injector']->getInstance('Horde_Auth')->getAuth($app)->requireAuth() && ($perms != Horde_Perms::SHOW)) { return false; diff --git a/whups/ticket/comment.php b/whups/ticket/comment.php index af26ce95c..89fff1575 100644 --- a/whups/ticket/comment.php +++ b/whups/ticket/comment.php @@ -8,7 +8,13 @@ */ require_once dirname(__FILE__) . '/../lib/Application.php'; -Horde_Registry::appInit('whups'); + +if (Horde_Util::getPost('formname') == 'addcommentform') { + $params = array('notransparent' => true); +} else { + $params = array(); +} +Horde_Registry::appInit('whups', $params); require_once WHUPS_BASE . '/lib/Forms/AddComment.php';