Fix Controller::assertPermission() allowing everything for unauthenticated requests

fixes #12108
This commit is contained in:
Alexander A. Klimov 2016-08-31 13:19:30 +02:00 committed by Eric Lippmann
parent 4398267db5
commit c8b1693fdc
2 changed files with 3 additions and 2 deletions

View File

@ -179,7 +179,7 @@ class ActionController extends Zend_Controller_Action
*/
public function assertPermission($permission)
{
if ($this->requiresAuthentication && ! $this->Auth()->hasPermission($permission)) {
if (! $this->Auth()->hasPermission($permission)) {
throw new SecurityException('No permission for %s', $permission);
}
}

View File

@ -26,7 +26,8 @@ class ModuleActionController extends ActionController
protected function prepareInit()
{
$this->moduleInit();
if ($this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
if ($this->requiresLogin()
&& $this->getFrontController()->getDefaultModule() !== $this->getModuleName()) {
$this->assertPermission(Manager::MODULE_PERMISSION_NS . $this->getModuleName());
}
}