feat: added proper 403 handling

Author: thorsten

composer.lock

@@ -0,0 +1,93 @@
+Copyright 2020 Braille Institute of America, Inc.
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+https://openfontlicense.org
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.

phpmyfaq/assets/fonts/AtkinsonHyperlegible-Bold.ttf

@@ -0,0 +1,18 @@
+{% extends '@admin/index.twig' %}
+
+{% block content %}
+  <div class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center pt-3 mb-3 border-bottom">
+    <h1 class="h2">
+      <i aria-hidden="true" class="bi bi-exclamation-triangle"></i>
+      {{ 'msgError403' | translate }}
+    </h1>
+  </div>
+
+  <p class="alert alert-danger">
+    {{ 'msgError403Description' | translate }}
+  </p>
+
+  <p class="small">
+   {{ 'msgError403Hint' | translate }}
+  </p>
+{% endblock %}

phpmyfaq/assets/fonts/AtkinsonHyperlegible-BoldItalic.ttf

@@ -19,6 +19,7 @@
 
 namespace phpMyFAQ;
 
+use phpMyFAQ\Controller\Exception\ForbiddenException;
 use phpMyFAQ\Core\Exception;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Exception\BadRequestException;
@@ -154,6 +155,17 @@ private function handleRequest(
                     headers: ['Content-Type' => 'application/json'],
                 );
             }
+        } catch (ForbiddenException $exception) {
+            $message = Environment::isDebugMode()
+                ? $this->formatExceptionMessage(
+                    template: 'An error occurred: :message at line :line at :file',
+                    exception: $exception,
+                )
+                : 'Bad Request';
+            $response = new Response(
+                content: $message,
+                status: Response::HTTP_FORBIDDEN,
+            );
         } catch (BadRequestException $exception) {
             $message = Environment::isDebugMode()
                 ? $this->formatExceptionMessage(

phpmyfaq/assets/fonts/AtkinsonHyperlegible-Italic.ttf

@@ -22,6 +22,7 @@
 use OpenApi\Attributes as OA;
 use phpMyFAQ\Captcha\Captcha;
 use phpMyFAQ\Configuration;
+use phpMyFAQ\Controller\Exception\ForbiddenException;
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Filter;
@@ -151,7 +152,7 @@ protected function hasValidToken(): void
     }
 
     /**
-     * @throws Exception|\Exception
+     * @throws \Exception
      */
     protected function isSecured(): void
     {
@@ -181,7 +182,7 @@ protected function userIsSuperAdmin(): void
     }
 
     /**
-     * @throws UnauthorizedHttpException
+     * @throws ForbiddenException
      */
     protected function userHasGroupPermission(): void
     {
@@ -192,12 +193,12 @@ protected function userHasGroupPermission(): void
             || !$currentUser->perm->hasPermission($currentUser->getUserId(), PermissionType::USER_DELETE->value)
             || !$currentUser->perm->hasPermission($currentUser->getUserId(), PermissionType::GROUP_EDIT->value)
         ) {
-            throw new UnauthorizedHttpException(challenge: 'User has no group permission.');
+            throw new ForbiddenException(message: 'User has no group permission.');
         }
     }
 
     /**
-     * @throws UnauthorizedHttpException
+     * @throws ForbiddenException
      */
     protected function userHasUserPermission(): void
     {
@@ -207,18 +208,18 @@ protected function userHasUserPermission(): void
             || !$currentUser->perm->hasPermission($currentUser->getUserId(), PermissionType::USER_EDIT->value)
             || !$currentUser->perm->hasPermission($currentUser->getUserId(), PermissionType::USER_DELETE->value)
         ) {
-            throw new UnauthorizedHttpException(challenge: 'User has no user permission.');
+            throw new ForbiddenException(message: 'User has no user permission.');
         }
     }
 
     /**
-     * @throws UnauthorizedHttpException
+     * @throws ForbiddenException
      */
     protected function userHasPermission(PermissionType $permissionType): void
     {
         $currentUser = $this->currentUser;
         if (!$currentUser->perm->hasPermission($currentUser->getUserId(), $permissionType->value)) {
-            throw new UnauthorizedHttpException(sprintf('User has no "%s" permission.', $permissionType->value));
+            throw new ForbiddenException(message: sprintf('User has no "%s" permission.', $permissionType->name));
         }
     }
 

phpmyfaq/assets/fonts/AtkinsonHyperlegible-Regular.ttf

@@ -22,6 +22,7 @@
 use Exception;
 use phpMyFAQ\Administration\Helper;
 use phpMyFAQ\Controller\AbstractController;
+use phpMyFAQ\Controller\Exception\ForbiddenException;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Helper\LanguageHelper;
 use phpMyFAQ\Service\Gravatar;
@@ -30,6 +31,7 @@
 use phpMyFAQ\Translation;
 use phpMyFAQ\Twig\TwigWrapper;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
 abstract class AbstractAdministrationController extends AbstractController
 {
@@ -60,7 +62,6 @@ protected function getHeader(Request $request): array
             'pageDirection' => Translation::get(key: 'direction'),
             'userHasAccessPermission' => $adminHelper->canAccessContent($this->currentUser),
             'msgSessionExpiration' => Translation::get(key: 'ad_session_expiration'),
-            'pageAction' => $request->query->get('action') ? '?action=' . $request->query->get('action') : '',
             'renderedLanguageSelection' => LanguageHelper::renderSelectLanguage(
                 $this->configuration->getLanguage()->getLanguage(),
                 true,
@@ -362,6 +363,32 @@ private function getGravatarImage(): string
         return '';
     }
 
+    protected function userHasPermission(PermissionType $permissionType): void
+    {
+        try {
+            parent::userHasPermission($permissionType);
+        } catch (ForbiddenException $exception) {
+            $response = $this->getForbiddenPage($exception->getMessage());
+            $response->send();
+        } catch (Exception $exception) {
+            $this->configuration->getLogger()->error($exception->getMessage());
+        }
+    }
+
+    /**
+     * @throws Exception
+     */
+    protected function getForbiddenPage(string $message = ''): Response
+    {
+        return $this->render(
+            file: '@admin/error/forbidden.twig',
+            context: [
+                ...$this->getHeader(Request::createFromGlobals()),
+                ...$this->getFooter(),
+            ],
+        );
+    }
+
     /**
      * @return string[]
      */