Skip to content

Commit 4b6c2c8

Browse files
committed
[ticket/10961] Send HTTP 403 when applicable
PHPBB3-10961
1 parent dff9501 commit 4b6c2c8

26 files changed

Lines changed: 98 additions & 0 deletions

phpBB/adm/index.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@
4141
// check specific permissions but this is a catchall
4242
if (!$auth->acl_get('a_'))
4343
{
44+
send_status_line(403, 'Forbidden');
4445
trigger_error('NO_ADMIN');
4546
}
4647

phpBB/includes/acp/acp_groups.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -223,6 +223,7 @@ function main($id, $mode)
223223
}
224224
else if ($action === 'delete' && $group_row['group_type'] == GROUP_SPECIAL)
225225
{
226+
send_status_line(403, 'Forbidden');
226227
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
227228
}
228229

@@ -235,6 +236,7 @@ function main($id, $mode)
235236
case 'delete':
236237
if (!$auth->acl_get('a_groupdel'))
237238
{
239+
send_status_line(403, 'Forbidden');
238240
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
239241
}
240242

@@ -313,6 +315,7 @@ function main($id, $mode)
313315

314316
if ($action == 'add' && !$auth->acl_get('a_groupadd'))
315317
{
318+
send_status_line(403, 'Forbidden');
316319
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
317320
}
318321

phpBB/includes/acp/acp_inactive.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -164,6 +164,7 @@ function main($id, $mode)
164164
{
165165
if (!$auth->acl_get('a_userdel'))
166166
{
167+
send_status_line(403, 'Forbidden');
167168
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
168169
}
169170

phpBB/includes/acp/acp_main.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,7 @@ function main($id, $mode)
118118
case 'online':
119119
if (!$auth->acl_get('a_board'))
120120
{
121+
send_status_line(403, 'Forbidden');
121122
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
122123
}
123124

@@ -134,6 +135,7 @@ function main($id, $mode)
134135
case 'stats':
135136
if (!$auth->acl_get('a_board'))
136137
{
138+
send_status_line(403, 'Forbidden');
137139
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
138140
}
139141

@@ -189,6 +191,7 @@ function main($id, $mode)
189191
case 'user':
190192
if (!$auth->acl_get('a_board'))
191193
{
194+
send_status_line(403, 'Forbidden');
192195
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
193196
}
194197

@@ -256,6 +259,7 @@ function main($id, $mode)
256259
case 'date':
257260
if (!$auth->acl_get('a_board'))
258261
{
262+
send_status_line(403, 'Forbidden');
259263
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
260264
}
261265

@@ -372,6 +376,7 @@ function main($id, $mode)
372376
case 'purge_sessions':
373377
if ((int) $user->data['user_type'] !== USER_FOUNDER)
374378
{
379+
send_status_line(403, 'Forbidden');
375380
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
376381
}
377382

phpBB/includes/acp/acp_permissions.php

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,7 @@ function main($id, $mode)
315315
case 'apply_permissions':
316316
if (!isset($_POST['setting']))
317317
{
318+
send_status_line(403, 'Forbidden');
318319
trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
319320
}
320321
if (!check_form_key($form_name))
@@ -328,6 +329,7 @@ function main($id, $mode)
328329
case 'apply_all_permissions':
329330
if (!isset($_POST['setting']))
330331
{
332+
send_status_line(403, 'Forbidden');
331333
trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
332334
}
333335
if (!check_form_key($form_name))
@@ -687,6 +689,7 @@ function set_permissions($mode, $permission_type, &$auth_admin, &$user_id, &$gro
687689
// Check the permission setting again
688690
if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
689691
{
692+
send_status_line(403, 'Forbidden');
690693
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
691694
}
692695

@@ -772,6 +775,7 @@ function set_all_permissions($mode, $permission_type, &$auth_admin, &$user_id, &
772775
// Check the permission setting again
773776
if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
774777
{
778+
send_status_line(403, 'Forbidden');
775779
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
776780
}
777781

@@ -884,6 +888,7 @@ function remove_permissions($mode, $permission_type, &$auth_admin, &$user_id, &$
884888
// Check the permission setting again
885889
if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
886890
{
891+
send_status_line(403, 'Forbidden');
887892
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
888893
}
889894

phpBB/includes/acp/acp_users.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,7 @@ function main($id, $mode)
205205
{
206206
if (!$auth->acl_get('a_userdel'))
207207
{
208+
send_status_line(403, 'Forbidden');
208209
trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
209210
}
210211

phpBB/includes/functions.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2264,6 +2264,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
22642264
{
22652265
$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
22662266
}
2267+
send_status_line(403, 'Forbidden');
22672268
trigger_error('NO_AUTH_ADMIN');
22682269
}
22692270

@@ -2280,6 +2281,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
22802281
{
22812282
$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
22822283
}
2284+
send_status_line(403, 'Forbidden');
22832285
trigger_error('NO_AUTH_ADMIN');
22842286
}
22852287

@@ -2301,6 +2303,8 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
23012303
{
23022304
// We log the attempt to use a different username...
23032305
$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
2306+
2307+
send_status_line(403, 'Forbidden');
23042308
trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
23052309
}
23062310

phpBB/includes/functions_privmsgs.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -801,6 +801,7 @@ function move_pm($user_id, $message_limit, $move_msg_ids, $dest_folder, $cur_fol
801801

802802
if (!$row)
803803
{
804+
send_status_line(403, 'Forbidden');
804805
trigger_error('NOT_AUTHORISED');
805806
}
806807

@@ -965,6 +966,7 @@ function handle_mark_actions($user_id, $mark_action)
965966

966967
if (!$auth->acl_get('u_pm_delete'))
967968
{
969+
send_status_line(403, 'Forbidden');
968970
trigger_error('NO_AUTH_DELETE_MESSAGE');
969971
}
970972

phpBB/includes/mcp/mcp_logs.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -83,6 +83,7 @@ function main($id, $mode)
8383

8484
if (!in_array($forum_id, $forum_list))
8585
{
86+
send_status_line(403, 'Forbidden');
8687
trigger_error('NOT_AUTHORISED');
8788
}
8889

@@ -101,6 +102,7 @@ function main($id, $mode)
101102

102103
if (!in_array($forum_id, $forum_list))
103104
{
105+
send_status_line(403, 'Forbidden');
104106
trigger_error('NOT_AUTHORISED');
105107
}
106108

phpBB/includes/mcp/mcp_queue.php

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -622,6 +622,7 @@ static public function approve_posts($action, $post_id_list, $id, $mode)
622622

623623
if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
624624
{
625+
send_status_line(403, 'Forbidden');
625626
trigger_error('NOT_AUTHORISED');
626627
}
627628

@@ -877,6 +878,7 @@ static public function approve_topics($action, $topic_id_list, $id, $mode)
877878

878879
if (!phpbb_check_ids($topic_id_list, TOPICS_TABLE, 'topic_id', array('m_approve')))
879880
{
881+
send_status_line(403, 'Forbidden');
880882
trigger_error('NOT_AUTHORISED');
881883
}
882884

@@ -1074,6 +1076,7 @@ static public function disapprove_posts($post_id_list, $id, $mode)
10741076

10751077
if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
10761078
{
1079+
send_status_line(403, 'Forbidden');
10771080
trigger_error('NOT_AUTHORISED');
10781081
}
10791082

0 commit comments

Comments
 (0)