From 79b8ca95395d138c3efc9b302067fc30733c81a7 Mon Sep 17 00:00:00 2001
From: nliautaud <nicolas.liautaud@gmail.com>
Date: Sat, 16 Sep 2017 12:10:37 +0200
Subject: [PATCH] Hide 403 pages, close #9

---
 45-PicoUsers/PicoUsers.php | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/45-PicoUsers/PicoUsers.php b/45-PicoUsers/PicoUsers.php
index d14b4e9..0cbeb71 100644
--- a/45-PicoUsers/PicoUsers.php
+++ b/45-PicoUsers/PicoUsers.php
@@ -11,7 +11,7 @@
  * @link	https://github.com/nliautaud/pico-users
  * @link    http://picocms.org
  * @license http://opensource.org/licenses/MIT The MIT License
- * @version 0.2.2
+ * @version 0.2.3
  */
 final class PicoUsers extends AbstractPicoPlugin
 {
@@ -52,15 +52,15 @@ public function onConfigLoaded(array &$config)
      */
      public function onRequestUrl(&$url)
      {
-        $page_url = rtrim($url, '/');
-        if (!$this->is_authorized($this->base_url . $page_url)) {
+        if (!$this->is_authorized($this->base_url . $url)) {
             $url = '403';
             header('HTTP/1.1 403 Forbidden');
         }
     }
     /**
+     * Hide 403 and unauthorized pages.
+     * 
      * Triggered after Pico has read all known pages
-     *
      * See {@link DummyPlugin::onSinglePageLoaded()} for details about the
      * structure of the page data.
      *
@@ -81,7 +81,7 @@ public function onPagesLoaded(
         array &$nextPage = null
     ) {
         foreach ($pages as $id => $page ) {
-            if (!$this->is_authorized(rtrim($page['url'], '/'))) {
+            if ($id == '403' || !$this->is_authorized($page['url'])) {
                 unset($pages[$id]);
             }
         }
@@ -124,7 +124,7 @@ function check_login()
             unset($_SESSION[$fp]);
             return;
         }
-        
+
         // login action
         if (isset($_POST['login'])
         && isset($_POST['pass'])) {
@@ -140,7 +140,7 @@ function check_login()
         $path = $_SESSION[$fp]['path'];
         $hash = $_SESSION[$fp]['hash'];
         $user = $this->get_user($path);
-        
+
         if ($user['hash'] === $hash) {
             $this->log_user($user, $fp);
         }
@@ -210,7 +210,7 @@ function search_users( $name, $pass, $users = null , $path = '' )
             }
 
             if ($name !== null && $name !== $username) continue;
-            
+
             if (!password_verify($pass, $userdata)) continue;
 
             $results[] = array(
@@ -245,6 +245,7 @@ function get_user( $path )
     private function is_authorized($url)
     {
         if (!$this->rights) return true;
+        $url = rtrim($url, '/');
         foreach ($this->rights as $auth_path => $auth_user )
         {
             // url is concerned by this rule and user is not (unauthorized)