Improve session handler and add Ajax session check

2014-11-29 17:18:23 -05:00
parent 7d36747de6
commit e72327d4b1
10 changed files with 68 additions and 22 deletions
--- a/app/Controller/App.php
+++ b/app/Controller/App.php
@@ -14,6 +14,16 @@ use Helper;
 */
 class App extends Base
 {
+    /**
+     * Check if the user is connected
+     *
+     * @access public
+     */
+    public function status()
+    {
+        $this->response->text('OK');
+    }
+
    /**
     * Dashboard for the current user
     *
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -140,7 +140,7 @@ abstract class Base
    public function beforeAction($controller, $action)
    {
        // Start the session
-        $this->session->open(BASE_URL_DIRECTORY, SESSION_SAVE_PATH);
+        $this->session->open(BASE_URL_DIRECTORY);

        // HTTP secure headers
        $this->response->csp(array('style-src' => "'self' 'unsafe-inline'"));
@@ -161,6 +161,11 @@ abstract class Base

        // Authentication
        if (! $this->authentication->isAuthenticated($controller, $action)) {
+
+            if ($this->request->isAjax()) {
+                $this->response->text('Not Authorized', 401);
+            }
+
            $this->response->redirect('?controller=user&action=login&redirect_query='.urlencode($this->request->getQueryString()));
        }

--- a/app/Controller/Board.php
+++ b/app/Controller/Board.php
@@ -342,7 +342,7 @@ class Board extends Base
        if ($project_id > 0 && $this->request->isAjax()) {

            if (! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->status(401);
+                $this->response->text('Forbidden', 403);
            }

            $values = $this->request->getJson();
@@ -366,7 +366,7 @@ class Board extends Base
            }
        }
        else {
-            $this->response->status(401);
+            $this->response->status(403);
        }
    }

@@ -383,7 +383,7 @@ class Board extends Base
            $timestamp = $this->request->getIntegerParam('timestamp');

            if ($project_id > 0 && ! $this->projectPermission->isUserAllowed($project_id, $this->acl->getUserId())) {
-                $this->response->text('Not Authorized', 401);
+                $this->response->text('Forbidden', 403);
            }

            if ($this->project->isModifiedSince($project_id, $timestamp)) {
@@ -402,7 +402,7 @@ class Board extends Base
            }
        }
        else {
-            $this->response->status(401);
+            $this->response->status(403);
        }
    }