Resolving Issue #2707

Some pages that have permission errors dont raise proper messages
Cacti · May 27, 2019 · d04fb8d · d04fb8d
1 parent 1f1a93e
commit d04fb8d
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 2 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -39,6 +39,7 @@ Cacti CHANGELOG
 -issue#2698: Avoid duplicated icon in the main.js of all themes
 -issue#2699: Login Options: "Show the page that user pointed their browser to" Not Working
 -issue#2702: sqltable_to_php.php should ignore '--plugin' when '--update'
+-issue#2707: Some pages that have permission errors dont raise proper messages
 -feature#2538: New global setting to change datasource behaviour when deleting graph
 -feature#2539: New global setting to add permanent unlock of graphs
 -feature#2540: New user setting to forget graph tree history on tab close

diff --git a/include/auth.php b/include/auth.php
@@ -260,6 +260,8 @@
 				$goBack = "<td colspan='2' class='center'>[<a href='" . $config['url_path'] . "logout.php'>" . __('Login Again') . "</a>]</td>";
 			}
 
+			raise_ajax_permission_denied();
+
 			$title_header = __('Permission Denied');
 			$title_body = '<p>' . __('You are not permitted to access this section of Cacti.') . '</p><p>' . __('If you feel that this is an error. Please contact your Cacti Administrator.');
 

diff --git a/include/layout.js b/include/layout.js
@@ -1830,7 +1830,7 @@ function setNavigationScroll() {
 						$(object).css('overflow-y', 'auto');
 					}, 500);
 				}
-	
+
 				isHover = true;
 			}
 		}
@@ -1927,6 +1927,7 @@ function getPresentHTTPError(data) {
 		var errorStr  = data.status;
 		var errorSub  = data.statusText;
 		var errorText = errorReasonUnexpected;
+		var found     = false;
 
 		if (typeof data.responseText != 'undefined') {
 			var dataText = data.responseText;
@@ -1937,14 +1938,21 @@ function getPresentHTTPError(data) {
 
 			if (title_match != null) {
 				var errorSub = title_match[1];
+				found = true;
 			}
 
 			if (head_match != null) {
 				var errorSub = head_match[1];
+				found = true;
 			}
 
 			if (para_match != null) {
 				var errorText = para_match[1];
+				found = true;
+			}
+
+			if (!found && dataText != '') {
+				var errorText = dataText;
 			}
 
 			var returnStr = '<div id="httperror" style="display:none">' +

diff --git a/lib/functions.php b/lib/functions.php
@@ -1504,7 +1504,7 @@ function strip_alpha(&$string) {
 /** get_full_script_path - gets the full path to the script to execute to obtain data for a
  *    given data source. this function does not work on SNMP actions, only script-based actions
  *  @arg $local_data_id - (int) the ID of the data source
- *  @returns - the full script path or (bool) false for an error 
+ *  @returns - the full script path or (bool) false for an error
 */
 function get_full_script_path($local_data_id) {
 	global $config;
@@ -5362,3 +5362,20 @@ function is_function_enabled($name) {
 		!in_array($name, array_map('trim', explode(', ', ini_get('disable_functions')))) &&
 		strtolower(ini_get('safe_mode')) != 1;
 }
+
+function is_page_ajax() {
+	if (!empty($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest' ) {
+		return true;
+	}
+
+	return false;
+}
+
+function raise_ajax_permission_denied() {
+	if (is_page_ajax()) {
+		header('HTTP/1.1 401 ' . __('Permission Denied'));
+		print __('You are not permitted to access this section of Cacti.') . '  ' . __('If you feel that this is an error. Please contact your Cacti Administrator.');
+		exit;
+	}
+}
+
diff --git a/permission_denied.php b/permission_denied.php
@@ -37,6 +37,8 @@
 	exit;
 }
 
+raise_ajax_permission_denied();
+
 print "<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN' 'http://www.w3.org/TR/html4/loose.dtd'>\n";
 print "<html>\n";
 print "<head>\n";