From 8d0530e7de15ba67986d4d71fdf86db5a5e26bff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Noack?= <noack@data-quest.de>
Date: Mon, 6 Jan 2025 08:27:56 +0000
Subject: [PATCH] =?UTF-8?q?Resolve=20#5090=20"=C3=9Cbrig=20gebliebene=20Ve?=
=?UTF-8?q?rwendung=20von=20$GLOBALS['auth']=20entfernen"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #5090
Merge request studip/studip!3804
---
app/controllers/api/oauth2/authorize.php | 8 ++++++--
app/controllers/course/forum/index.php | 2 +-
app/controllers/course/ilias_interface.php | 2 +-
app/controllers/new_password.php | 2 +-
app/controllers/news.php | 3 ---
lib/classes/Context.php | 12 ++++++++----
lib/functions.php | 5 ++++-
lib/middleware/SeminarOpenMiddleware.php | 8 +++++++-
lib/showNews.inc.php | 2 +-
9 files changed, 29 insertions(+), 15 deletions(-)
diff --git a/app/controllers/api/oauth2/authorize.php b/app/controllers/api/oauth2/authorize.php
index 6387937dd29..fe336826afe 100644
--- a/app/controllers/api/oauth2/authorize.php
+++ b/app/controllers/api/oauth2/authorize.php
@@ -24,7 +24,9 @@ class Api_Oauth2_AuthorizeController extends OAuth2Controller
$method = $this->getMethod();
if (Request::submitted('auth_token')) {
- $GLOBALS['auth']->login_if('nobody' === $GLOBALS['user']->id);
+ if ('nobody' === $GLOBALS['user']->id) {
+ throw new LoginException();
+ }
CSRFProtection::verifyUnsafeRequest();
switch ($method) {
@@ -59,7 +61,9 @@ class Api_Oauth2_AuthorizeController extends OAuth2Controller
return;
} else {
- $GLOBALS['auth']->login_if('nobody' === $GLOBALS['user']->id);
+ if ('nobody' === $GLOBALS['user']->id) {
+ throw new LoginException();
+ }
}
$this->client = $client;
diff --git a/app/controllers/course/forum/index.php b/app/controllers/course/forum/index.php
index 9be214ea3a8..6eafcd5b855 100644
--- a/app/controllers/course/forum/index.php
+++ b/app/controllers/course/forum/index.php
@@ -832,7 +832,7 @@ class Course_Forum_IndexController extends ForumController
public function rescue($exception)
{
if ($exception instanceof AccessDeniedException) {
- $GLOBALS['auth']->login_if($GLOBALS['user']->id === 'nobody');
+ throw new LoginException();
}
return parent::rescue($exception);
diff --git a/app/controllers/course/ilias_interface.php b/app/controllers/course/ilias_interface.php
index 4f453972ca7..492ae80cc48 100644
--- a/app/controllers/course/ilias_interface.php
+++ b/app/controllers/course/ilias_interface.php
@@ -47,7 +47,7 @@ class Course_IliasInterfaceController extends AuthenticatedController
$this->seminar_id = Context::getId();
$this->edit_permission = $GLOBALS['perm']->have_studip_perm('tutor', $this->seminar_id);
$this->author_permission = false;
- $this->change_course_permission = $GLOBALS['auth']->auth["perm"] == "root" || ($GLOBALS['perm']->have_studip_perm('tutor', $this->seminar_id) && !empty($this->ilias_interface_config['allow_change_course']));
+ $this->change_course_permission = $GLOBALS['perm']->have_perm('root') || ($GLOBALS['perm']->have_studip_perm('tutor', $this->seminar_id) && !empty($this->ilias_interface_config['allow_change_course']));
$this->add_own_course_permission = $GLOBALS['perm']->have_studip_perm('tutor', $this->seminar_id) && !empty($this->ilias_interface_config['allow_add_own_course']);
$this->course_permission = $GLOBALS['perm']->have_studip_perm('tutor', $this->seminar_id);
diff --git a/app/controllers/new_password.php b/app/controllers/new_password.php
index 956bc5cd6d6..baa9e622874 100644
--- a/app/controllers/new_password.php
+++ b/app/controllers/new_password.php
@@ -19,7 +19,7 @@ class NewPasswordController extends StudipController
return;
}
- if ($GLOBALS['auth'] && $GLOBALS['auth']->auth["uid"] != "nobody") {
+ if (User::findCurrent()) {
PageLayout::postError(_("Sie können kein neues Passwort anfordern, wenn Sie bereits eingeloggt sind."));
$this->redirect('start');
return;
diff --git a/app/controllers/news.php b/app/controllers/news.php
index 4b9eb60754f..29472c27349 100644
--- a/app/controllers/news.php
+++ b/app/controllers/news.php
@@ -436,9 +436,6 @@ class NewsController extends StudipController
public function admin_news_action($area_type = '')
{
// check permission
- if (!$GLOBALS['auth']->is_authenticated() || $GLOBALS['user']->id === 'nobody') {
- throw new AccessDeniedException();
- }
$GLOBALS['perm']->check('user');
// initialize
diff --git a/lib/classes/Context.php b/lib/classes/Context.php
index e7b2e0146ab..1bc26239b89 100644
--- a/lib/classes/Context.php
+++ b/lib/classes/Context.php
@@ -200,11 +200,11 @@ class Context
*
* @param string $id
*
- * @throws AccessDeniedException
+ * @throws AccessDeniedException|LoginException
*/
public static function set($id)
{
- global $perm, $auth;
+ global $perm;
self::close();
self::loadContext($id);
@@ -226,7 +226,9 @@ class Context
if (!$perm->get_studip_perm($course['Seminar_id'])) {
if ($course['lesezugriff'] > 0 || !Config::get()->ENABLE_FREE_ACCESS) {
// redirect to login page if user is not logged in
- $auth->login_if($auth->auth['uid'] === 'nobody');
+ if (!User::findCurrent()) {
+ throw new LoginException();
+ }
if (!$perm->get_studip_perm($course['Seminar_id'])) {
throw new AccessDeniedException();
@@ -257,7 +259,9 @@ class Context
&& !$perm->have_perm('user');
if ($no_access) {
// redirect to login page if user is not logged in
- $auth->login_if($auth->auth['uid'] === 'nobody');
+ if (!User::findCurrent()) {
+ throw new LoginException();
+ }
if (!$perm->have_perm('user')) {
throw new AccessDeniedException();
diff --git a/lib/functions.php b/lib/functions.php
index 29264fbf0ba..d03c266e508 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1123,7 +1123,10 @@ function studip_default_exception_handler($exception) {
$status = 403;
$template = 'check_object_exception';
} elseif ($exception instanceof LoginException) {
-
+ $_SESSION['redirect_after_login'] = Request::url();
+ sess()->save();
+ header('Location: ' . URLHelper::getScriptURL('dispatch.php/login'));
+ exit;
} else {
if ($exception instanceOf Trails\Exception) {
$status = $exception->getCode();
diff --git a/lib/middleware/SeminarOpenMiddleware.php b/lib/middleware/SeminarOpenMiddleware.php
index 20d7f9e1f75..13c4f5f30d8 100644
--- a/lib/middleware/SeminarOpenMiddleware.php
+++ b/lib/middleware/SeminarOpenMiddleware.php
@@ -154,7 +154,13 @@ final class SeminarOpenMiddleware implements MiddlewareInterface
// This also binds Context::getId()
// to the URL parameter 'cid' for all generated links.
if (isset($course_id)) {
- \Context::set($course_id);
+ try {
+ \Context::set($course_id);
+ } catch (\LoginException $e) {
+ $response = $this->response_factory->createResponse(302);
+ $_SESSION['redirect_after_login'] = \Request::url();
+ return $response->withHeader('Location', \URLHelper::getURL('dispatch.php/login'));
+ }
unset($course_id);
}
diff --git a/lib/showNews.inc.php b/lib/showNews.inc.php
index 1a52d630b3b..a63529ae4b8 100644
--- a/lib/showNews.inc.php
+++ b/lib/showNews.inc.php
@@ -56,7 +56,7 @@ function delete_news($delete_news_array)
_('Ankündigung "%s" wurde gelöscht.'),
htmlReady((string) $delete_news->topic)
));
- if ($delete_news->getValue('user_id') != $GLOBALS['auth']->auth['uid']) {
+ if ($delete_news->getValue('user_id') !== $GLOBALS['user']->id) {
setTempLanguage($delete_news->getValue('user_id'));
$msg = sprintf(
_('Ihre Ankündigung "%s" wurde von der Administration gelöscht!.'),
--
GitLab