X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/3b31ac75ec41b3990cea770a9e48e2066bd8e9a3..refs/pull/5280/head:/app/Http/Controller.php

diff --git a/app/Http/Controller.php b/app/Http/Controller.php
index 78b899d25..8facf5dab 100644
--- a/app/Http/Controller.php
+++ b/app/Http/Controller.php
@@ -9,6 +9,8 @@ use BookStack\Facades\Activity;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
 use Illuminate\Routing\Controller as BaseController;
 
 abstract class Controller extends BaseController
@@ -66,6 +68,16 @@ abstract class Controller extends BaseController
         }
     }
 
+    /**
+     * Prevent access for guest users beyond this point.
+     */
+    protected function preventGuestAccess(): void
+    {
+        if (user()->isGuest()) {
+            $this->showPermissionError();
+        }
+    }
+
     /**
      * Check the current user's permissions against an ownable item otherwise throw an exception.
      */
@@ -155,4 +167,20 @@ abstract class Controller extends BaseController
     {
         return ['image_extension', 'mimes:jpeg,png,gif,webp', 'max:' . (config('app.upload_limit') * 1000)];
     }
+
+    /**
+     * Redirect to the URL provided in the request as a '_return' parameter.
+     * Will check that the parameter leads to a URL under the root path of the system.
+     */
+    protected function redirectToRequest(Request $request): RedirectResponse
+    {
+        $basePath = url('/');
+        $returnUrl = $request->input('_return') ?? $basePath;
+
+        if (!str_starts_with($returnUrl, $basePath)) {
+            return redirect($basePath);
+        }
+
+        return redirect($returnUrl);
+    }
 }