return gotClearanceForTagChain ($subject);
}
+# a "throwing" wrapper for above
+function assertPermission ($p = NULL, $t = NULL, $o = NULL, $annex = array())
+{
+ if (! permitted ($p, $t, $o, $annex))
+ throw new RTPermissionDenied();
+}
+
// The argument doesn't include explicit and implicit tags. This allows us to derive implicit chain
// each time we modify the given argument (and work with the modified copy from now on).
// After the work is done the global $impl_tags is silently modified
const INTERNAL = 2;
const DB_WRITE_FAILED = 3;
const NOT_AUTHENTICATED = 4;
- const NOT_AUTHORIZED = 5;
const MISCONFIGURED = 6;
protected final function genHTMLPage ($title, $text)
{
self::MISCONFIGURED => 'Configuration error',
self::INTERNAL => 'Internal error',
self::DB_WRITE_FAILED => 'Database write failed',
- self::NOT_AUTHORIZED => 'Permission denied',
);
$msgbody = array
(
self::MISCONFIGURED => '<h2>Configuration error</h2><br>' . $this->message,
self::INTERNAL => '<h2>Internal error</h2><br>' . $this->message,
self::DB_WRITE_FAILED => '<h2>Database write failed</h2><br>' . $this->message,
- self::NOT_AUTHORIZED => '<h2>Permission denied</h2><br>' . $this->message,
);
switch ($this->code)
{
case self::MISCONFIGURED:
case self::INTERNAL:
case self::DB_WRITE_FAILED:
- case self::NOT_AUTHORIZED:
$this->genHTMLPage ($msgheader[$this->code], $msgbody[$this->code]);
break;
default:
}
}
+# "Permission denied" is a very common case, which in some situations is
+# treated as a "soft" error.
+class RTPermissionDenied extends RackTablesError
+{
+ public function dispatch()
+ {
+ renderAccessDenied (FALSE);
+ }
+}
+
function dumpArray($arr)
{
echo '<table class="exceptionParametersDump">';
if (!strlen ($terms))
throw new InvalidRequestArgException('q', $_REQUEST['q'], 'Search string cannot be empty.');
if (!permitted ('depot', 'default'))
- throw new RackTablesError ('You are not authorized for viewing information about objects.', RackTablesError::NOT_AUTHORIZED);
+ throw new RTPermissionDenied();
$results = searchEntitiesByText ($terms);
renderSearchResults ($terms, $results);
$pageno = 'object';
$tabno = 'default';
fixContext();
- if (!permitted())
- {
- renderAccessDenied (FALSE);
- return;
- }
+ assertPermission();
$object_id = getBypassValue();
echo '<div style="background-color: #f0f0f0; border: 1px solid #3c78b5; padding: 10px; height: 100%; text-align: center; margin: 5px;">';
echo '<h2>Choose a container:</h2>';
$pageno = 'depot';
$tabno = 'default';
fixContext();
- if (!permitted())
- renderAccessDenied();
+ assertPermission();
assertUIntArg ('port');
assertStringArg ('in_rack');
$localchoice = $_REQUEST['in_rack'] == 'y';
$pageno = 'ipv4space';
$tabno = 'default';
fixContext();
- if (!permitted())
- renderAccessDenied();
+ assertPermission();
echo '<div style="background-color: #f0f0f0; border: 1px solid #3c78b5; padding: 10px; height: 100%; text-align: center; margin: 5px;">';
echo '<h2>Choose a port:</h2><br><br>';
echo '<form action="javascript:;">';
$pageno = 'rack';
$tabno = 'default';
fixContext();
- if (!permitted())
- renderAccessDeniedImage();
- else
- renderRackThumb (getBypassValue());
+ assertPermission()
+ renderRackThumb (getBypassValue());
break;
case 'progressbar': // no security context
assertUIntArg ('done', TRUE);
$pageno = 'file';
$tabno = 'download';
fixContext();
- if (!permitted())
- renderAccessDeniedImage();
- else
- renderFilePreview (getBypassValue());
+ assertPermission();
+ renderFilePreview (getBypassValue());
break;
default:
renderErrorImage();
// do not override.
fixContext();
redirectIfNecessary();
- if (! permitted())
- {
- renderAccessDenied (FALSE);
- break;
- }
+ assertPermission();
header ('Content-Type: text/html; charset=UTF-8');
// Only store the tab name after clearance is got. Any failure is unhandleable.
if (isset ($_REQUEST['tab']) and ! isset ($_SESSION['RTLT'][$pageno]['dont_remember']))
$pageno = 'file';
$tabno = 'download';
fixContext();
- if (!permitted())
- {
- renderAccessDenied (FALSE);
- break;
- }
+ assertPermission();
$file = getFile (getBypassValue());
header("Content-Type: {$file['type']}");
header("Content-Length: {$file['size']}");
{
dispatchImageRequest();
}
+ catch (RTPermissionDenied $e)
+ {
+ ob_clean();
+ renderAccessDeniedImage();
+ }
catch (Exception $e)
{
ob_clean();
)
throw new RackTablesError ("Invalid navigation data for '${pageno}-${tabno}-${op}'", RackTablesError::INTERNAL);
// We have a chance to handle an error before starting HTTP header.
- if (!isset ($delayauth[$pageno][$tabno][$op]) and !permitted())
- showError ('Operation not permitted');
- else
- {
- // Call below does the job of bypass argument assertion, if such is required,
- // so the ophandler function doesn't have to re-assert this portion of its
- // arguments. And it would be even better to pass returned value to ophandler,
- // so it is not necessary to remember the name of bypass in it.
- getBypassValue();
- if (strlen ($redirect_to = call_user_func ($ophandler[$pageno][$tabno][$op])))
- $location = $redirect_to;
- }
- header ("Location: " . $location);
+ if (!isset ($delayauth[$pageno][$tabno][$op]))
+ assertPermission();
+ # Call below does the job of bypass argument assertion, if such is required,
+ # so the ophandler function doesn't have to re-assert this portion of its
+ # arguments. And it would be even better to pass returned value to ophandler,
+ # so it is not necessary to remember the name of bypass in it.
+ getBypassValue();
+ if (strlen ($redirect_to = call_user_func ($ophandler[$pageno][$tabno][$op])))
+ $location = $redirect_to;
}
// known "soft" failures require a short error message
catch (InvalidRequestArgException $e)
{
ob_clean();
showError ($e->getMessage());
- header ('Location: ' . $location);
}
catch (RTDatabaseError $e)
{
ob_clean();
showError ('Database error: ' . $e->getMessage());
- header ('Location: ' . $location);
}
+ catch (RTPermissionDenied $e)
+ {
+ ob_clean();
+ showError ('Operation not permitted');
+ }
+ header ('Location: ' . $location);
// any other error requires no special handling and will be caught outside
break;
case 'popup' == $_REQUEST['module']:
projects / racktables / commitdiff
