From 24815e16087b4b1b64e9f380d45d411af32daf42 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 9 Apr 2018 16:56:04 +0200
Subject: Permissions: Consistency: Make all pages require at least one
 permission to be accessible

Closes #3340
---
 modules-available/locations/page.inc.php | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

(limited to 'modules-available/locations/page.inc.php')

diff --git a/modules-available/locations/page.inc.php b/modules-available/locations/page.inc.php
index 80a8076b..4d5c6628 100644
--- a/modules-available/locations/page.inc.php
+++ b/modules-available/locations/page.inc.php
@@ -24,6 +24,9 @@ class Page_Locations extends Page
 		} elseif ($this->action === 'updatesubnets') {
 			$this->updateSubnets();
 		}
+		if (Request::isPost()) {
+			Util::redirect('?do=locations');
+		}
 	}
 
 	private function updateSubnets()
@@ -306,10 +309,16 @@ class Page_Locations extends Page
 
 	protected function doRender()
 	{
-		$getAction = Request::get('action');
-		if (empty($getAction)) {
-			// Until we have a main landing page?
-			Util::redirect('?do=Locations&action=showlocations');
+		$getAction = Request::get('action', false, 'string');
+		if ($getAction === false) {
+			if (User::hasPermission('location.view')) {
+				Util::redirect('?do=locations&action=showlocations');
+			} elseif (User::hasPermission('subnets.edit')) {
+				Util::redirect('?do=locations&action=showsubnets');
+			} else {
+				// Trigger permission denied by asserting non-existent permission
+				User::assertPermission('location.view');
+			}
 		}
 		if ($getAction === 'showsubnets') {
 			User::assertPermission('subnets.edit', NULL, '?do=locations');
@@ -324,6 +333,8 @@ class Page_Locations extends Page
 			Render::addTemplate('subnets', array('list' => $rows));
 		} elseif ($getAction === 'showlocations') {
 			$this->showLocationList();
+		} else {
+			Util::redirect('?do=locations');
 		}
 	}
 
-- 
cgit v1.2.3-55-g7522