From ec82ac0f2eadc2c324b81e2252bb8bee88f09319 Mon Sep 17 00:00:00 2001
From: Daniel Friesel <derf@finalrewind.org>
Date: Fri, 8 Mar 2019 16:55:45 +0100
Subject: move /action to non-authenticated area to handle session issues

---
 index.pl | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

(limited to 'index.pl')

diff --git a/index.pl b/index.pl
index 6331d45..03a344a 100755
--- a/index.pl
+++ b/index.pl
@@ -1021,11 +1021,6 @@ get '/reg/:id/:token' => sub {
 	$self->render( 'login', from => 'verification' );
 };
 
-under sub {
-	my ($self) = @_;
-	return $self->is_user_authenticated;
-};
-
 post '/action' => sub {
 	my ($self) = @_;
 	my $params = $self->req->json;
@@ -1034,13 +1029,25 @@ post '/action' => sub {
 		$params = $self->req->params->to_hash;
 	}
 
+	if ( not $self->is_user_authenticated ) {
+
+		# We deliberately do not set the HTTP status for these replies, as it
+		# confuses jquery.
+		$self->render(
+			json => {
+				success => 0,
+				error   => 'Session error, please login again',
+			},
+		);
+		return;
+	}
+
 	if ( not $params->{action} ) {
 		$self->render(
 			json => {
 				success => 0,
 				error   => 'Missing action value',
 			},
-			status => 400,
 		);
 		return;
 	}
@@ -1111,11 +1118,15 @@ post '/action' => sub {
 				success => 0,
 				error   => 'invalid action value',
 			},
-			status => 400,
 		);
 	}
 };
 
+under sub {
+	my ($self) = @_;
+	return $self->is_user_authenticated;
+};
+
 get '/account' => sub {
 	my ($self) = @_;
 
-- 
cgit v1.2.3