Redirect non-SSL hits to login & register actions to SSL if 'always' or 'sometimes...

The forms would already submit to SSL, but people are happier if they start on a secure page!

Note: this really should be done for sensitive/all URLs in index.php, but it seems a bit awkward to reconstruct the SSL version of the link atm. Cleanup todo!

diff --git a/actions/login.php b/actions/login.php
index dc6352368a698e0753619bdb9827df4b555585d9..d3e4312f71152f86e42047250f1361c95c8fd6df 100644 (file)
--- a/actions/login.php
+++ b/actions/login.php
@@ -62,6 +62,28 @@ class LoginAction extends Action
         return false;
     }
 
+    /**
+     * Prepare page to run
+     *
+     *
+     * @param $args
+     * @return string title
+     */
+
+    function prepare($args)
+    {
+        parent::prepare($args);
+
+        // @todo this check should really be in index.php for all sensitive actions
+        $ssl = common_config('site', 'ssl');
+        if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) {
+            common_redirect(common_local_url('login'));
+            // exit
+        }
+
+        return true;
+    }
+
     /**
      * Handle input, produce output
      *

diff --git a/actions/register.php b/actions/register.php
index 7fdbb4ded63bb6f104db895d1d4b719ad9ee5e7d..2fc7ef9219acec175c0025daa3d236ab5ec974b0 100644 (file)
--- a/actions/register.php
+++ b/actions/register.php
@@ -74,6 +74,13 @@ class RegisterAction extends Action
         parent::prepare($args);
         $this->code = $this->trimmed('code');
 
+        // @todo this check should really be in index.php for all sensitive actions
+        $ssl = common_config('site', 'ssl');
+        if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) {
+            common_redirect(common_local_url('register'));
+            // exit
+        }
+
         if (empty($this->code)) {
             common_ensure_session();
             if (array_key_exists('invitecode', $_SESSION)) {