block rpc if not authenticated

CHANGES

@@ -1,3 +1,7 @@
+0.10.2 2023-02-28 16:13:17 +0100 Tobias Oetiker <tobi@oetiker.ch>
+
+ - block rpc calls if there is no session
+
 0.10.1 2023-02-28 15:30:30 +0100 Tobias Oetiker <tobi@oetiker.ch>
 
  - if openid_url is configured, redirect to openid/auth

VERSION

@@ -1 +1 @@
-0.10.1
+0.10.2

lib/EP.pm

@@ -151,9 +151,9 @@ sub startup {
     $routes->get('/' => sub { 
         my $self = shift;
         if ($gcfg->{openid_url} and not $self->session->{epUser}){
-            return $self->redirect_to('./openid/auth');
+            return $self->redirect_to('openid/auth');
         }        
-        return $self->redirect_to('./'.$app->prefix); 
+        return $self->redirect_to('/'.$app->prefix); 
     });
 
     $app->plugin('EP::DocPlugin', {

lib/EP/RpcService.pm

@@ -70,11 +70,11 @@ has 'log' => sub { shift->app->log };
 sub allow_rpc_access {
     my $self = shift;
     my $method = shift;
-
-    die mkerror(3993,q{Your session has expired. Please re-connect.}) unless defined $self->user;
+    if (not defined $self->user or ($self->cfg->{GENERAL}{openid_url} and not $self->session('epUser'))) {
+       die mkerror(3993,q{Your session has expired. Please re-connect.});
+    }
     return $allow{$method}; 
 }
-
 
 =head2 getConfig()
 

share/messages.pot

@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: ep 0.10.1\n"
+"Project-Id-Version: ep 0.10.2\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-02-28 15:32+0100\n"
+"POT-Creation-Date: 2023-02-28 16:16+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

t/00-load-and-ping.t

@@ -19,6 +19,6 @@ $t->post_ok('/app/jsonrpc', json => {
 })
   ->status_is(200)
   ->content_type_is('application/json; charset=utf-8')
-  ->json_is('/error/message' => 'rpc access to method ping denied');
+  ->json_is('/error/message' => 'Your session has expired. Please re-connect.');
 
 done_testing();