diff options
| author | Craig Andrews <candrews@integralblue.com> | 2010-10-20 20:22:34 -0400 |
|---|---|---|
| committer | Craig Andrews <candrews@integralblue.com> | 2010-10-20 20:26:35 -0400 |
| commit | 90c87553ee7566593529199374215ae80bb3e209 (patch) | |
| tree | b53bc9c461a8be0ae26beac6e7805228760a2612 | |
| parent | 3593f3f1323bfce289bc9805629f7d126dac7ae6 (diff) | |
Redirect to https when making an http request for a sensitive action
| -rw-r--r-- | actions/login.php | 22 | ||||
| -rw-r--r-- | actions/register.php | 7 | ||||
| -rw-r--r-- | index.php | 8 |
3 files changed, 8 insertions, 29 deletions
diff --git a/actions/login.php b/actions/login.php index 07c601a4d..103df7ee5 100644 --- a/actions/login.php +++ b/actions/login.php @@ -63,28 +63,6 @@ class LoginAction extends Action } /** - * Prepare page to run - * - * - * @param $args - * @return string title - */ - - function prepare($args) - { - parent::prepare($args); - - // @todo this check should really be in index.php for all sensitive actions - $ssl = common_config('site', 'ssl'); - if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) { - common_redirect(common_local_url('login')); - // exit - } - - return true; - } - - /** * Handle input, produce output * * Switches on request method; either shows the form or handles its input. diff --git a/actions/register.php b/actions/register.php index 7307bc689..9b8161e08 100644 --- a/actions/register.php +++ b/actions/register.php @@ -74,13 +74,6 @@ class RegisterAction extends Action parent::prepare($args); $this->code = $this->trimmed('code'); - // @todo this check should really be in index.php for all sensitive actions - $ssl = common_config('site', 'ssl'); - if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) { - common_redirect(common_local_url('register')); - // exit - } - if (empty($this->code)) { common_ensure_session(); if (array_key_exists('invitecode', $_SESSION)) { @@ -283,6 +283,14 @@ function main() return; } + $site_ssl = common_config('site', 'ssl'); + + // If the request is HTTP and it should be HTTPS... + if ($site_ssl != 'never' && !StatusNet::isHTTPS() && common_is_sensitive($args['action'])) { + common_redirect(common_local_url($args['action'], $args)); + return; + } + $args = array_merge($args, $_REQUEST); Event::handle('ArgsInitialize', array(&$args)); |