Permalink
Browse files

Return a 403 for unauthorised 'format=text' requests.

The Release plugin sends requests to the site with Accept: text/plain in the header. If the user publishing a plugin didn't have the required permission, the site would send a redirect to the 'not authorised' page - not particularly helpful for the Release plugin. It now sends a 403 for such requests.
  • Loading branch information...
1 parent ef6415a commit e11bfbfbfdac8e851104ce88dfc976ea83eae795 @pledbrook pledbrook committed Jun 13, 2012
Showing with 5 additions and 0 deletions.
  1. +5 −0 grails-app/conf/org/grails/auth/JSecurityAuthFilters.groovy
View
5 grails-app/conf/org/grails/auth/JSecurityAuthFilters.groovy
@@ -38,6 +38,9 @@ class JSecurityAuthFilters {
action: 'login',
params:[targetUri: targetUri])
}
+
+ // Don't execute the default behaviour.
+ return false
}
/**
@@ -47,6 +50,8 @@ class JSecurityAuthFilters {
def onUnauthorized(subject, d) {
if (d.request.xhr) {
d.render "You do not have permission to access this page."
+ } else if (d.response.format == 'text') {
+ d.render status: 403, text: "Permission denied"
} else {
// Redirect to the 'unauthorized' page.
d.redirect controller: 'user', action: 'unauthorized'

0 comments on commit e11bfbf

Please sign in to comment.