From 06e48901cda454495e2bcad873e4805f1a69fa89 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 21 Sep 2014 16:23:17 +0200
Subject: [PATCH] UPD: Block missing permissions effectively.

---
 src/org/cacert/gigi/Gigi.java | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index cf91b6b1..f6b02f45 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -206,11 +206,15 @@ public class Gigi extends HttpServlet {
                 return;
             }
             User currentPageUser = LoginPage.getUser(req);
-            if ( !p.isPermitted(currentPageUser) && hs.getAttribute("loggedin") == null) {
-                String request = req.getPathInfo();
-                request = request.split("\\?")[0];
-                hs.setAttribute(LoginPage.LOGIN_RETURNPATH, request);
-                resp.sendRedirect("/login");
+            if ( !p.isPermitted(currentPageUser)) {
+                if (hs.getAttribute("loggedin") == null) {
+                    String request = req.getPathInfo();
+                    request = request.split("\\?")[0];
+                    hs.setAttribute(LoginPage.LOGIN_RETURNPATH, request);
+                    resp.sendRedirect("/login");
+                    return;
+                }
+                resp.sendError(403);
                 return;
             }
             if (p.beforeTemplate(req, resp)) {
-- 
2.39.2