r4354 RTPermissionDenied: new class instead of RackTablesError::NOT_AUTHORIZED
authorDenis Ovsienko <infrastation@yandex.ru>
Thu, 17 Mar 2011 14:11:18 +0000 (14:11 +0000)
committerDenis Ovsienko <infrastation@yandex.ru>
Thu, 17 Mar 2011 14:11:18 +0000 (14:11 +0000)
assertPermission(): new function
searchHandler(): update respectively
renderPopupHTML(): idem
index.php: idem
dispatchImageRequest(): idem

wwwroot/inc/auth.php
wwwroot/inc/exceptions.php
wwwroot/inc/interface.php
wwwroot/inc/popup.php
wwwroot/inc/render_image.php
wwwroot/index.php

index daf8e92b6a83f43aedbba6ece88b24585b4c0981..c7ead24e581702350346d696c078ba58851fc8ad 100644 (file)
@@ -141,6 +141,13 @@ function permitted ($p = NULL, $t = NULL, $o = NULL, $annex = array())
        return gotClearanceForTagChain ($subject);
 }
 
+# a "throwing" wrapper for above
+function assertPermission ($p = NULL, $t = NULL, $o = NULL, $annex = array())
+{
+       if (! permitted ($p, $t, $o, $annex))
+               throw new RTPermissionDenied();
+}
+
 // The argument doesn't include explicit and implicit tags. This allows us to derive implicit chain
 // each time we modify the given argument (and work with the modified copy from now on).
 // After the work is done the global $impl_tags is silently modified
index da830cd93d06b1c1e5341dc8619bae61bce963f1..48ac85cce9621f7cfc035727238c55ee1d284f47 100644 (file)
@@ -9,7 +9,6 @@ class RackTablesError extends Exception
        const INTERNAL = 2;
        const DB_WRITE_FAILED = 3;
        const NOT_AUTHENTICATED = 4;
-       const NOT_AUTHORIZED = 5;
        const MISCONFIGURED = 6;
        protected final function genHTMLPage ($title, $text)
        {
@@ -27,7 +26,6 @@ class RackTablesError extends Exception
                        self::MISCONFIGURED => 'Configuration error',
                        self::INTERNAL => 'Internal error',
                        self::DB_WRITE_FAILED => 'Database write failed',
-                       self::NOT_AUTHORIZED => 'Permission denied',
                );
                $msgbody = array
                (
@@ -35,7 +33,6 @@ class RackTablesError extends Exception
                        self::MISCONFIGURED => '<h2>Configuration error</h2><br>' . $this->message,
                        self::INTERNAL => '<h2>Internal error</h2><br>' . $this->message,
                        self::DB_WRITE_FAILED => '<h2>Database write failed</h2><br>' . $this->message,
-                       self::NOT_AUTHORIZED => '<h2>Permission denied</h2><br>' . $this->message,
                );
                switch ($this->code)
                {
@@ -45,7 +42,6 @@ class RackTablesError extends Exception
                case self::MISCONFIGURED:
                case self::INTERNAL:
                case self::DB_WRITE_FAILED:
-               case self::NOT_AUTHORIZED:
                        $this->genHTMLPage ($msgheader[$this->code], $msgbody[$this->code]);
                        break;
                default:
@@ -136,6 +132,16 @@ class RTBuildLVSConfigError extends RackTablesError
        }
 }
 
+# "Permission denied" is a very common case, which in some situations is
+# treated as a "soft" error.
+class RTPermissionDenied extends RackTablesError
+{
+       public function dispatch()
+       {
+               renderAccessDenied (FALSE);
+       }
+}
+
 function dumpArray($arr)
 {
        echo '<table class="exceptionParametersDump">';
index b650a0445ef70d32eed1da985ea332a72adc4fdf..84c3d28d921210c3cc5d364369375fbb0cfdaee7 100644 (file)
@@ -3471,7 +3471,7 @@ function searchHandler () {
        if (!strlen ($terms))
                throw new InvalidRequestArgException('q', $_REQUEST['q'], 'Search string cannot be empty.');
        if (!permitted ('depot', 'default'))
-               throw new RackTablesError ('You are not authorized for viewing information about objects.', RackTablesError::NOT_AUTHORIZED);
+               throw new RTPermissionDenied();
        
        $results = searchEntitiesByText ($terms);
        renderSearchResults ($terms, $results);
index e1bc730f46fb51e93e72d67c6911a381c26b89f5..255c1a29c802cb8ddd47a5e9b7aa5d810941cc8a 100644 (file)
@@ -128,11 +128,7 @@ header ('Content-Type: text/html; charset=UTF-8');
                        $pageno = 'object';
                        $tabno = 'default';
                        fixContext();
-                       if (!permitted())
-                       {
-                               renderAccessDenied (FALSE);
-                               return;
-                       }
+                       assertPermission();
                        $object_id = getBypassValue();
                        echo '<div style="background-color: #f0f0f0; border: 1px solid #3c78b5; padding: 10px; height: 100%; text-align: center; margin: 5px;">';
                        echo '<h2>Choose a container:</h2>';
@@ -150,8 +146,7 @@ header ('Content-Type: text/html; charset=UTF-8');
                        $pageno = 'depot';
                        $tabno = 'default';
                        fixContext();
-                       if (!permitted())
-                               renderAccessDenied();
+                       assertPermission();
                        assertUIntArg ('port');
                        assertStringArg ('in_rack');
                        $localchoice = $_REQUEST['in_rack'] == 'y';
@@ -186,8 +181,7 @@ header ('Content-Type: text/html; charset=UTF-8');
                        $pageno = 'ipv4space';
                        $tabno = 'default';
                        fixContext();
-                       if (!permitted())
-                               renderAccessDenied();
+                       assertPermission();
                        echo '<div style="background-color: #f0f0f0; border: 1px solid #3c78b5; padding: 10px; height: 100%; text-align: center; margin: 5px;">';
                        echo '<h2>Choose a port:</h2><br><br>';
                        echo '<form action="javascript:;">';
index 27f0607ab307aa4eee585161d97bbd02659fd50a..8fe027fcfc9294b1e890b1d6811161c9c310ae9e 100644 (file)
@@ -10,10 +10,8 @@ function dispatchImageRequest()
                $pageno = 'rack';
                $tabno = 'default';
                fixContext();
-               if (!permitted())
-                       renderAccessDeniedImage();
-               else
-                       renderRackThumb (getBypassValue());
+               assertPermission()
+               renderRackThumb (getBypassValue());
                break;
        case 'progressbar': // no security context
                assertUIntArg ('done', TRUE);
@@ -24,10 +22,8 @@ function dispatchImageRequest()
                $pageno = 'file';
                $tabno = 'download';
                fixContext();
-               if (!permitted())
-                       renderAccessDeniedImage();
-               else
-                       renderFilePreview (getBypassValue());
+               assertPermission();
+               renderFilePreview (getBypassValue());
                break;
        default:
                renderErrorImage();
index 235a1adc43b41d6c5ceb543dab551c1522583fe2..b4f8e559d127bb084213c5c2a26514cf05bb7d8e 100644 (file)
@@ -19,11 +19,7 @@ try {
                // do not override.
                fixContext();
                redirectIfNecessary();
-               if (! permitted())
-               {
-                       renderAccessDenied (FALSE);
-                       break;
-               }
+               assertPermission();
                header ('Content-Type: text/html; charset=UTF-8');
                // Only store the tab name after clearance is got. Any failure is unhandleable.
                if (isset ($_REQUEST['tab']) and ! isset ($_SESSION['RTLT'][$pageno]['dont_remember']))
@@ -51,11 +47,7 @@ try {
                $pageno = 'file';
                $tabno = 'download';
                fixContext();
-               if (!permitted())
-               {
-                       renderAccessDenied (FALSE);
-                       break;
-               }
+               assertPermission();
                $file = getFile (getBypassValue());
                header("Content-Type: {$file['type']}");
                header("Content-Length: {$file['size']}");
@@ -80,6 +72,11 @@ try {
                {
                        dispatchImageRequest();
                }
+               catch (RTPermissionDenied $e)
+               {
+                       ob_clean();
+                       renderAccessDeniedImage();
+               }
                catch (Exception $e)
                {
                        ob_clean();
@@ -128,33 +125,33 @@ try {
                        )
                                throw new RackTablesError ("Invalid navigation data for '${pageno}-${tabno}-${op}'", RackTablesError::INTERNAL);
                        // We have a chance to handle an error before starting HTTP header.
-                       if (!isset ($delayauth[$pageno][$tabno][$op]) and !permitted())
-                               showError ('Operation not permitted');
-                       else
-                       {
-                               // Call below does the job of bypass argument assertion, if such is required,
-                               // so the ophandler function doesn't have to re-assert this portion of its
-                               // arguments. And it would be even better to pass returned value to ophandler,
-                               // so it is not necessary to remember the name of bypass in it.
-                               getBypassValue();
-                               if (strlen ($redirect_to = call_user_func ($ophandler[$pageno][$tabno][$op])))
-                                       $location = $redirect_to;
-                       }
-                       header ("Location: " . $location);
+                       if (!isset ($delayauth[$pageno][$tabno][$op]))
+                               assertPermission();
+                       # Call below does the job of bypass argument assertion, if such is required,
+                       # so the ophandler function doesn't have to re-assert this portion of its
+                       # arguments. And it would be even better to pass returned value to ophandler,
+                       # so it is not necessary to remember the name of bypass in it.
+                       getBypassValue();
+                       if (strlen ($redirect_to = call_user_func ($ophandler[$pageno][$tabno][$op])))
+                               $location = $redirect_to;
                }
                // known "soft" failures require a short error message
                catch (InvalidRequestArgException $e)
                {
                        ob_clean();
                        showError ($e->getMessage());
-                       header ('Location: ' . $location);
                }
                catch (RTDatabaseError $e)
                {
                        ob_clean();
                        showError ('Database error: ' . $e->getMessage());
-                       header ('Location: ' . $location);
                }
+               catch (RTPermissionDenied $e)
+               {
+                       ob_clean();
+                       showError ('Operation not permitted');
+               }
+               header ('Location: ' . $location);
                // any other error requires no special handling and will be caught outside
                break;
        case 'popup' == $_REQUEST['module']: