From 90c87553ee7566593529199374215ae80bb3e209 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Wed, 20 Oct 2010 20:22:34 -0400
Subject: [PATCH] Redirect to https when making an http request for a sensitive
 action

---
 actions/login.php    | 22 ----------------------
 actions/register.php |  7 -------
 index.php            |  8 ++++++++
 3 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/actions/login.php b/actions/login.php
index 07c601a4db..103df7ee5a 100644
--- a/actions/login.php
+++ b/actions/login.php
@@ -62,28 +62,6 @@ class LoginAction extends Action
         return false;
     }
 
-    /**
-     * Prepare page to run
-     *
-     *
-     * @param $args
-     * @return string title
-     */
-
-    function prepare($args)
-    {
-        parent::prepare($args);
-
-        // @todo this check should really be in index.php for all sensitive actions
-        $ssl = common_config('site', 'ssl');
-        if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) {
-            common_redirect(common_local_url('login'));
-            // exit
-        }
-
-        return true;
-    }
-
     /**
      * Handle input, produce output
      *
diff --git a/actions/register.php b/actions/register.php
index 7307bc689b..9b8161e082 100644
--- a/actions/register.php
+++ b/actions/register.php
@@ -74,13 +74,6 @@ class RegisterAction extends Action
         parent::prepare($args);
         $this->code = $this->trimmed('code');
 
-        // @todo this check should really be in index.php for all sensitive actions
-        $ssl = common_config('site', 'ssl');
-        if (empty($_SERVER['HTTPS']) && ($ssl == 'always' || $ssl == 'sometimes')) {
-            common_redirect(common_local_url('register'));
-            // exit
-        }
-
         if (empty($this->code)) {
             common_ensure_session();
             if (array_key_exists('invitecode', $_SESSION)) {
diff --git a/index.php b/index.php
index 21e222e3b8..5a08aa0782 100644
--- a/index.php
+++ b/index.php
@@ -283,6 +283,14 @@ function main()
         return;
     }
 
+    $site_ssl = common_config('site', 'ssl');
+
+    // If the request is HTTP and it should be HTTPS...
+    if ($site_ssl != 'never' && !StatusNet::isHTTPS() && common_is_sensitive($args['action'])) {
+        common_redirect(common_local_url($args['action'], $args));
+        return;
+    }
+
     $args = array_merge($args, $_REQUEST);
 
     Event::handle('ArgsInitialize', array(&$args));