Fix Controller::assertPermission() allowing everything for unauthenticated requests
fixes #12108
This commit is contained in:
parent
4398267db5
commit
c8b1693fdc
|
@ -179,7 +179,7 @@ class ActionController extends Zend_Controller_Action
|
|||
*/
|
||||
public function assertPermission($permission)
|
||||
{
|
||||
if ($this->requiresAuthentication && ! $this->Auth()->hasPermission($permission)) {
|
||||
if (! $this->Auth()->hasPermission($permission)) {
|
||||
throw new SecurityException('No permission for %s', $permission);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -26,7 +26,8 @@ class ModuleActionController extends ActionController
|
|||
protected function prepareInit()
|
||||
{
|
||||
$this->moduleInit();
|
||||
if ($this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
|
||||
if ($this->requiresLogin()
|
||||
&& $this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
|
||||
$this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName());
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue