UPD: Block missing permissions effectively.

author Felix Dörre <felix@dogcraft.de>

Sun, 21 Sep 2014 14:23:17 +0000 (16:23 +0200)

committer Felix Dörre <felix@dogcraft.de>

Sun, 21 Sep 2014 14:31:13 +0000 (16:31 +0200)
author Felix Dörre <felix@dogcraft.de>
Sun, 21 Sep 2014 14:23:17 +0000 (16:23 +0200)
committer Felix Dörre <felix@dogcraft.de>
Sun, 21 Sep 2014 14:31:13 +0000 (16:31 +0200)
diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java

index cf91b6b1279e80911c501ea3abf1796765c79229..f6b02f4568bf7dde1c34a39eb8033203e85a4602 100644 (file)
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -206,11 +206,15 @@ public class Gigi extends HttpServlet {
                  return;
              }
              User currentPageUser = LoginPage.getUser(req);
                  return;
              }
              User currentPageUser = LoginPage.getUser(req);
-            if ( !p.isPermitted(currentPageUser) && hs.getAttribute("loggedin") == null) {
-                String request = req.getPathInfo();
-                request = request.split("\\?")[0];
-                hs.setAttribute(LoginPage.LOGIN_RETURNPATH, request);
-                resp.sendRedirect("/login");
+            if ( !p.isPermitted(currentPageUser)) {
+                if (hs.getAttribute("loggedin") == null) {
+                    String request = req.getPathInfo();
+                    request = request.split("\\?")[0];
+                    hs.setAttribute(LoginPage.LOGIN_RETURNPATH, request);
+                    resp.sendRedirect("/login");
+                    return;
+                }
+                resp.sendError(403);
                  return;
              }
              if (p.beforeTemplate(req, resp)) {
                  return;
              }
              if (p.beforeTemplate(req, resp)) {
author	Felix Dörre <felix@dogcraft.de>
	Sun, 21 Sep 2014 14:23:17 +0000 (16:23 +0200)
committer	Felix Dörre <felix@dogcraft.de>
	Sun, 21 Sep 2014 14:31:13 +0000 (16:31 +0200)