[Krang-CVS] (Re-commit after CVS restore) Fixed a flaw in Krang::Handler that

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Log Message:
-----------
(Re-commit after CVS restore) Fixed a flaw in Krang::Handler that allowed
access to any file via the root handler.  Now only image files and the two
Krang CSS files are accessable without logging-in.

Modified Files:
--------------
    krang/lib/Krang:
        Handler.pm

Revision Data
-------------
Index: Handler.pm
===================================================================
RCS file: /usr/local/krang-cvs/krang/lib/Krang/Handler.pm,v
retrieving revision 1.31
retrieving revision 1.32
diff -Llib/Krang/Handler.pm -Llib/Krang/Handler.pm -u -r1.31 -r1.32

--- lib/Krang/Handler.pm
+++ lib/Krang/Handler.pm
@@ -196,8 +196,8 @@
             }
         }
 
-        # Allow requests for other assets to pass through normally
-        return DECLINED unless ($uri eq '/');
+        # stop other requests unless they're for the root
+        return FORBIDDEN unless ($uri eq '/');
 
         # We're looking at the root.  Set handler to show list of instances
         $r->handler("perl-script");
@@ -309,10 +309,11 @@
         return OK;
     }
 
-    # always allow access to the CSS file and the logo - needed before
+    # always allow access to the CSS file and images - needed before
     # login to display the login screen
-    return OK if $path =~ m!krang\.css$! or $path =~ m!logo\.gif$!;
-
+    return OK if $path =~ m!krang(_login)?\.css$! 
+      or $path =~ m!\.(gif|jpg|png)$!;
+    
     # If user is logged in, we're done
     return OK if (defined($r->connection->user()));
 


