Fix issue with the accessibility of RSS feeds when "force login" is active

The pages were generally not accessible for users who were not logged in, as the access token was only evaluated after the CheckForForceLogin middleware had been executed.

diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
index 0876d651ca778eb934c4d49e94d2eabbae7937cb..5106167198e87aa4c85443dc48dc1b0ce41d5f60 100644 (file)
--- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
@@ -4,6 +4,7 @@ namespace wcf\page;
 
 use wcf\data\user\User;
 use wcf\system\exception\IllegalLinkException;
+use wcf\system\exception\PermissionDeniedException;
 use wcf\system\session\SessionHandler;
 use wcf\system\WCF;
 
@@ -17,6 +18,12 @@ use wcf\system\WCF;
  */
 abstract class AbstractAuthedPage extends AbstractPage
 {
+    /**
+     * If “Force login” is active, this page is faked as available during offline mode
+     * in order to bypass the CheckForForceLogin middleware.
+     */
+    public const AVAILABLE_DURING_OFFLINE_MODE = \FORCE_LOGIN;
+
     /**
      * @inheritDoc
      */
@@ -24,8 +31,16 @@ abstract class AbstractAuthedPage extends AbstractPage
     {
         parent::readParameters();
 
+        if (\OFFLINE) {
+            throw new IllegalLinkException();
+        }
+
         // check security token
         $this->checkAccessToken();
+
+        if (\FORCE_LOGIN && !WCF::getUser()->userID) {
+            throw new PermissionDeniedException();
+        }
     }
 
     /**