Merge pull request #4340 from Senky/ticket/10961

[ticket/10961] Send HTTP 403 when applicable

* Senky/ticket/10961:
  [ticket/10961] Send HTTP 403 when applicable

phpBB/adm/index.php

@@ -41,6 +41,7 @@ if (!isset($user->data['session_admin']) || !$user->data['session_admin'])
 // check specific permissions but this is a catchall
 if (!$auth->acl_get('a_'))
 {
+	send_status_line(403, 'Forbidden');
 	trigger_error('NO_ADMIN');
 }
 

phpBB/includes/acp/acp_groups.php

@@ -223,6 +223,7 @@ class acp_groups
 				}
 				else if ($action === 'delete' && $group_row['group_type'] == GROUP_SPECIAL)
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 				}
 
@@ -235,6 +236,7 @@ class acp_groups
 						case 'delete':
 							if (!$auth->acl_get('a_groupdel'))
 							{
+								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 							}
 
@@ -313,6 +315,7 @@ class acp_groups
 
 				if ($action == 'add' && !$auth->acl_get('a_groupadd'))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 				}
 

phpBB/includes/acp/acp_inactive.php

@@ -164,6 +164,7 @@ class acp_inactive
 						{
 							if (!$auth->acl_get('a_userdel'))
 							{
+								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 							}
 

phpBB/includes/acp/acp_main.php

@@ -118,6 +118,7 @@ class acp_main
 					case 'online':
 						if (!$auth->acl_get('a_board'))
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 
@@ -134,6 +135,7 @@ class acp_main
 					case 'stats':
 						if (!$auth->acl_get('a_board'))
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 
@@ -189,6 +191,7 @@ class acp_main
 					case 'user':
 						if (!$auth->acl_get('a_board'))
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 
@@ -256,6 +259,7 @@ class acp_main
 					case 'date':
 						if (!$auth->acl_get('a_board'))
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 
@@ -372,6 +376,7 @@ class acp_main
 					case 'purge_sessions':
 						if ((int) $user->data['user_type'] !== USER_FOUNDER)
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 						}
 

phpBB/includes/acp/acp_permissions.php

@@ -315,6 +315,7 @@ class acp_permissions
 				case 'apply_permissions':
 					if (!isset($_POST['setting']))
 					{
+						send_status_line(403, 'Forbidden');
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
 					if (!check_form_key($form_name))
@@ -328,6 +329,7 @@ class acp_permissions
 				case 'apply_all_permissions':
 					if (!isset($_POST['setting']))
 					{
+						send_status_line(403, 'Forbidden');
 						trigger_error($user->lang['NO_AUTH_SETTING_FOUND'] . adm_back_link($this->u_action), E_USER_WARNING);
 					}
 					if (!check_form_key($form_name))
@@ -687,6 +689,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
 
@@ -772,6 +775,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
 
@@ -884,6 +888,7 @@ class acp_permissions
 		// Check the permission setting again
 		if (!$auth->acl_get('a_' . str_replace('_', '', $permission_type) . 'auth') || !$auth->acl_get('a_auth' . $ug_type . 's'))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action), E_USER_WARNING);
 		}
 

phpBB/includes/acp/acp_users.php

@@ -205,6 +205,7 @@ class acp_users
 					{
 						if (!$auth->acl_get('a_userdel'))
 						{
+							send_status_line(403, 'Forbidden');
 							trigger_error($user->lang['NO_AUTH_OPERATION'] . adm_back_link($this->u_action . '&u=' . $user_id), E_USER_WARNING);
 						}
 

phpBB/includes/functions.php

@@ -2264,6 +2264,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		{
 			$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
 		}
+		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_ADMIN');
 	}
 
@@ -2280,6 +2281,7 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 				{
 					$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
 				}
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_ADMIN');
 			}
 
@@ -2301,6 +2303,8 @@ function login_box($redirect = '', $l_explain = '', $l_success = '', $admin = fa
 		{
 			// We log the attempt to use a different username...
 			$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_ADMIN_AUTH_FAIL');
+
+			send_status_line(403, 'Forbidden');
 			trigger_error('NO_AUTH_ADMIN_USER_DIFFER');
 		}
 

phpBB/includes/functions_privmsgs.php

@@ -801,6 +801,7 @@ function move_pm($user_id, $message_limit, $move_msg_ids, $dest_folder, $cur_fol
 
 			if (!$row)
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NOT_AUTHORISED');
 			}
 
@@ -965,6 +966,7 @@ function handle_mark_actions($user_id, $mark_action)
 
 			if (!$auth->acl_get('u_pm_delete'))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_DELETE_MESSAGE');
 			}
 

phpBB/includes/mcp/mcp_logs.php

@@ -83,6 +83,7 @@ class mcp_logs
 
 				if (!in_array($forum_id, $forum_list))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error('NOT_AUTHORISED');
 				}
 
@@ -101,6 +102,7 @@ class mcp_logs
 
 				if (!in_array($forum_id, $forum_list))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error('NOT_AUTHORISED');
 				}
 

phpBB/includes/mcp/mcp_queue.php

@@ -622,6 +622,7 @@ class mcp_queue
 
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 
@@ -877,6 +878,7 @@ class mcp_queue
 
 		if (!phpbb_check_ids($topic_id_list, TOPICS_TABLE, 'topic_id', array('m_approve')))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 
@@ -1074,6 +1076,7 @@ class mcp_queue
 
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_approve')))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 

phpBB/includes/mcp/mcp_reports.php

@@ -542,6 +542,7 @@ function close_report($report_id_list, $mode, $action, $pm = false)
 	{
 		if (!$auth->acl_getf_global('m_report'))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 	}
@@ -549,6 +550,7 @@ function close_report($report_id_list, $mode, $action, $pm = false)
 	{
 		if (!phpbb_check_ids($post_id_list, POSTS_TABLE, 'post_id', array('m_report')))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 	}

phpBB/includes/ucp/ucp_activate.php

@@ -67,6 +67,7 @@ class ucp_activate
 			{
 				login_box('', $user->lang['NO_AUTH_OPERATION']);
 			}
+			send_status_line(403, 'Forbidden');
 			trigger_error('NO_AUTH_OPERATION');
 		}
 

phpBB/includes/ucp/ucp_groups.php

@@ -87,6 +87,7 @@ class ucp_groups
 
 							if (!$auth->acl_get('u_chggrp'))
 							{
+								send_status_line(403, 'Forbidden');
 								trigger_error($user->lang['NOT_AUTHORISED'] . $return_page);
 							}
 

phpBB/includes/ucp/ucp_pm.php

@@ -166,6 +166,7 @@ class ucp_pm
 
 				if (!$auth->acl_get('u_readpm'))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_READ_MESSAGE');
 				}
 

phpBB/includes/ucp/ucp_pm_compose.php

@@ -171,6 +171,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		case 'post':
 			if (!$auth->acl_get('u_sendpm'))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_SEND_MESSAGE');
 			}
 		break;
@@ -186,6 +187,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 
 			if (!$auth->acl_get('u_sendpm'))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_SEND_MESSAGE');
 			}
 
@@ -226,6 +228,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		case 'delete':
 			if (!$auth->acl_get('u_pm_delete'))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_DELETE_MESSAGE');
 			}
 
@@ -251,11 +254,13 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 
 	if ($action == 'forward' && (!$config['forward_pm'] || !$auth->acl_get('u_pm_forward')))
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_FORWARD_MESSAGE');
 	}
 
 	if ($action == 'edit' && !$auth->acl_get('u_pm_edit'))
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_EDIT_MESSAGE');
 	}
 
@@ -321,6 +326,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 		{
 			if (($post['forum_id'] && !$auth->acl_get('f_read', $post['forum_id'])) || (!$post['forum_id'] && !$auth->acl_getf_global('f_read')))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NOT_AUTHORISED');
 			}
 
@@ -456,6 +462,7 @@ function compose_pm($id, $mode, $action, $user_folders = array())
 
 	if (($to_group_id || isset($address_list['g'])) && (!$config['allow_mass_pm'] || !$auth->acl_get('u_masspm_group')))
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('NO_AUTH_GROUP_MESSAGE');
 	}
 

phpBB/includes/ucp/ucp_pm_viewmessage.php

@@ -41,6 +41,7 @@ function view_message($id, $mode, $folder_id, $msg_id, $folder, $message_row)
 		$message = $user->lang['NO_AUTH_READ_REMOVED_MESSAGE'];
 
 		$message .= '<br /><br />' . sprintf($user->lang['RETURN_FOLDER'], '<a href="' . $meta_info . '">', '</a>');
+		send_status_line(403, 'Forbidden');
 		trigger_error($message);
 	}
 

phpBB/includes/ucp/ucp_profile.php

@@ -279,6 +279,7 @@ class ucp_profile
 				// Do not display profile information panel if not authed to do so
 				if (!$auth->acl_get('u_chgprofileinfo'))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_PROFILEINFO');
 				}
 
@@ -464,6 +465,7 @@ class ucp_profile
 
 				if (!$auth->acl_get('u_sig'))
 				{
+					send_status_line(403, 'Forbidden');
 					trigger_error('NO_AUTH_SIGNATURE');
 				}
 

phpBB/includes/ucp/ucp_remind.php

@@ -79,6 +79,7 @@ class ucp_remind
 
 			if (!$auth2->acl_get('u_chgpasswd'))
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_AUTH_PASSWORD_REMINDER');
 			}
 

phpBB/mcp.php

@@ -127,6 +127,7 @@ if (!$auth->acl_getf_global('m_'))
 
 	if (!$allow_user)
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('NOT_AUTHORISED');
 	}
 }
@@ -134,6 +135,7 @@ if (!$auth->acl_getf_global('m_'))
 // if the user cannot read the forum he tries to access then we won't allow mcp access either
 if ($forum_id && !$auth->acl_get('f_read', $forum_id))
 {
+	send_status_line(403, 'Forbidden');
 	trigger_error('NOT_AUTHORISED');
 }
 

phpBB/memberlist.php

@@ -75,6 +75,7 @@ switch ($mode)
 		{
 			if ($user->data['user_id'] != ANONYMOUS)
 			{
+				send_status_line(403, 'Forbidden');
 				trigger_error('NO_VIEW_USERS');
 			}
 
@@ -372,6 +373,7 @@ switch ($mode)
 
 		if (!$auth->acl_get('u_sendim'))
 		{
+			send_status_line(403, 'Forbidden');
 			trigger_error('NOT_AUTHORISED');
 		}
 

phpBB/phpbb/feed/forum.php

@@ -74,6 +74,14 @@ class forum extends post_base
 		// Make sure we can read this forum
 		if (!$this->auth->acl_get('f_read', $this->forum_id))
 		{
+			if ($this->user->data['user_id'] != ANONYMOUS)
+			{
+				send_status_line(403, 'Forbidden');
+			}
+			else
+			{
+				send_status_line(401, 'Unauthorized');
+			}
 			throw new unauthorized_forum_exception($this->forum_id);
 		}
 
@@ -84,6 +92,14 @@ class forum extends post_base
 
 			if (isset($forum_ids_passworded[$this->forum_id]))
 			{
+				if ($this->user->data['user_id'] != ANONYMOUS)
+				{
+					send_status_line(403, 'Forbidden');
+				}
+				else
+				{
+					send_status_line(401, 'Unauthorized');
+				}
 				throw new unauthorized_forum_exception($this->forum_id);
 			}
 

phpBB/phpbb/feed/topic.php

@@ -66,6 +66,14 @@ class topic extends post_base
 		// Make sure topic is either approved or user authed
 		if ($this->topic_data['topic_visibility'] != ITEM_APPROVED && !$this->auth->acl_get('m_approve', $this->forum_id))
 		{
+			if ($this->user->data['user_id'] != ANONYMOUS)
+			{
+				send_status_line(403, 'Forbidden');
+			}
+			else
+			{
+				send_status_line(401, 'Unauthorized');
+			}
 			throw new unauthorized_topic_exception($this->topic_id);
 		}
 
@@ -78,6 +86,14 @@ class topic extends post_base
 		// Make sure we can read this forum
 		if (!$this->auth->acl_get('f_read', $this->forum_id))
 		{
+			if ($this->user->data['user_id'] != ANONYMOUS)
+			{
+				send_status_line(403, 'Forbidden');
+			}
+			else
+			{
+				send_status_line(401, 'Unauthorized');
+			}
 			throw new unauthorized_forum_exception($this->forum_id);
 		}
 
@@ -88,6 +104,14 @@ class topic extends post_base
 
 			if (isset($forum_ids_passworded[$this->forum_id]))
 			{
+				if ($this->user->data['user_id'] != ANONYMOUS)
+				{
+					send_status_line(403, 'Forbidden');
+				}
+				else
+				{
+					send_status_line(401, 'Unauthorized');
+				}
 				throw new unauthorized_forum_exception($this->forum_id);
 			}
 

phpBB/phpbb/message/topic_form.php

@@ -71,6 +71,14 @@ class topic_form extends form
 
 		if (!$this->auth->acl_get('f_read', $this->topic_row['forum_id']))
 		{
+			if ($this->user->data['user_id'] != ANONYMOUS)
+			{
+				send_status_line(403, 'Forbidden');
+			}
+			else
+			{
+				send_status_line(401, 'Unauthorized');
+			}
 			return 'SORRY_AUTH_READ';
 		}
 

phpBB/viewforum.php

@@ -91,6 +91,7 @@ if (!$auth->acl_gets('f_list', 'f_read', $forum_id) || ($forum_data['forum_type'
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('SORRY_AUTH_READ');
 	}
 

phpBB/viewonline.php

@@ -37,6 +37,7 @@ if (!$auth->acl_gets('u_viewprofile', 'a_user', 'a_useradd', 'a_userdel'))
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('NO_VIEW_USERS');
 	}
 

phpBB/viewtopic.php

@@ -376,6 +376,7 @@ if (!$overrides_f_read_check && !$auth->acl_get('f_read', $forum_id))
 {
 	if ($user->data['user_id'] != ANONYMOUS)
 	{
+		send_status_line(403, 'Forbidden');
 		trigger_error('SORRY_AUTH_READ');
 	}