From c9ffbe84f7427d6374f407b32b9904ffb8947e88 Mon Sep 17 00:00:00 2001
From: pastith <devnull@localhost>
Date: Tue, 3 Mar 2009 15:39:07 +0000
Subject: [PATCH] Properly return Forbidden for folders in the deferred
 authentication case. Folders cannot be accessible by
 everyone.

---
 gss/src/gr/ebs/gss/server/rest/FilesHandler.java |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gss/src/gr/ebs/gss/server/rest/FilesHandler.java b/gss/src/gr/ebs/gss/server/rest/FilesHandler.java
index da3cbfb..d99994f 100644
--- a/gss/src/gr/ebs/gss/server/rest/FilesHandler.java
+++ b/gss/src/gr/ebs/gss/server/rest/FilesHandler.java
@@ -172,10 +172,11 @@ public class FilesHandler extends RequestHandler {
     	// Now it's time to perform the deferred authentication check.
 		// Since regular signature checking was already performed,
 		// we only need to check the read-all flag.
-		if (authDeferred && file != null && !file.isReadForAll()) {
-			resp.sendError(HttpServletResponse.SC_FORBIDDEN);
-			return;
-		}
+		if (authDeferred)
+			if (file != null && !file.isReadForAll() || file == null) {
+				resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+				return;
+			}
 
     	// If the resource is not a collection, and the resource path
     	// ends with "/" or "\", return NOT FOUND.
-- 
1.7.10.4