diff --git a/airtime_mvc/application/configs/ACL.php b/airtime_mvc/application/configs/ACL.php index 2dbb6f5cd..f1ae5a21c 100644 --- a/airtime_mvc/application/configs/ACL.php +++ b/airtime_mvc/application/configs/ACL.php @@ -48,7 +48,8 @@ $ccAcl->allow('G', 'index') ->allow('G', 'locale') ->allow('G', 'upgrade') ->allow('G', 'downgrade') - ->allow('G', 'rest:media') + ->allow('G', 'rest:media', 'get') + ->allow('H', 'rest:media') ->allow('H', 'preference', 'is-import-in-progress') ->allow('H', 'usersettings') ->allow('H', 'plupload') diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php index 2696fd27d..bd803ec89 100644 --- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php +++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php @@ -123,28 +123,32 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract die(); } } + else //Non-REST, regular Airtime web app requests + { + //Redirect you to the login screen since you have no session. + if ($controller !== 'login') { - if ($controller !== 'login') { + if ($request->isXmlHttpRequest()) { - if ($request->isXmlHttpRequest()) { + $url = 'http://'.$request->getHttpHost().'/login'; + $json = Zend_Json::encode(array('auth' => false, 'url' => $url)); - $url = 'http://'.$request->getHttpHost().'/login'; - $json = Zend_Json::encode(array('auth' => false, 'url' => $url)); + // Prepare response + $this->getResponse() + ->setHttpResponseCode(401) + ->setBody($json) + ->sendResponse(); - // Prepare response - $this->getResponse() - ->setHttpResponseCode(401) - ->setBody($json) - ->sendResponse(); - - //redirectAndExit() cleans up, sends the headers and stops the script - Zend_Controller_Action_HelperBroker::getStaticHelper('redirector')->redirectAndExit(); - } else { - $r = Zend_Controller_Action_HelperBroker::getStaticHelper('redirector'); - $r->gotoSimpleAndExit('index', 'login', $request->getModuleName()); - } + //redirectAndExit() cleans up, sends the headers and stops the script + Zend_Controller_Action_HelperBroker::getStaticHelper('redirector')->redirectAndExit(); + } else { + $r = Zend_Controller_Action_HelperBroker::getStaticHelper('redirector'); + $r->gotoSimpleAndExit('index', 'login', $request->getModuleName()); + } + } } - } else { + } else { //We have a session/identity. + // If we have an identity and we're making a RESTful request, // we need to check the CSRF token if ($request->_action != "get" && $request->getModuleName() == "rest") {