From 6a13b6dd253a9d61c11822c2c0b9734540339272 Mon Sep 17 00:00:00 2001 From: Giraffaman Date: Sun, 25 Feb 2024 15:39:35 +0100 Subject: [PATCH] restrict all pool-related functions to logged in users only --- core/permissions.php | 2 ++ core/userclass.php | 2 ++ ext/pools/main.php | 5 +---- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/core/permissions.php b/core/permissions.php index a4123099a..bd32b19c3 100644 --- a/core/permissions.php +++ b/core/permissions.php @@ -130,6 +130,8 @@ abstract class Permissions public const POOLS_ADMIN = "pools_admin"; public const POOLS_CREATE = "pools_create"; public const POOLS_UPDATE = "pools_update"; + # 2024-02-25: added pool view permission to restrict to logged in users only + public const POOLS_VIEW = "pools_view"; public const SET_PRIVATE_IMAGE = "set_private_image"; public const SET_OTHERS_PRIVATE_IMAGES = "set_others_private_images"; diff --git a/core/userclass.php b/core/userclass.php index 530b94542..b96f75b53 100644 --- a/core/userclass.php +++ b/core/userclass.php @@ -128,6 +128,8 @@ public function can(string $ability): bool Permissions::NOTES_REQUEST => true, Permissions::POOLS_CREATE => true, Permissions::POOLS_UPDATE => true, + # 2024-02-25: added permissions to view pools and tags to restrict this to logged in users only + Permissions::POOLS_VIEW => true, ]); new UserClass("hellbanned", "user", [ diff --git a/ext/pools/main.php b/ext/pools/main.php index c97126cc8..077aeabc1 100644 --- a/ext/pools/main.php +++ b/ext/pools/main.php @@ -232,10 +232,7 @@ public function onPageSubNavBuilding(PageSubNavBuildingEvent $event): void public function onPageRequest(PageRequestEvent $event): void { global $config, $database, $page, $user; - if(! $user->is_logged_in()) { - $errMessage = "You must be registered and logged in to use pools."; - $this->theme->display_error(401, "Unauthorized", $errMessage); - } else { + if($event->page_matches("pool", permission: Permissions::POOLS_VIEW)) { if ( $event->page_matches("pool/list", paged: true) || $event->page_matches("pool/list/{search}", paged: true)