Article system allowed access to titles of hidden articles

The problem was caused by a redirect to the Canonical URL before the permissions were checked.

diff --git a/wcfsetup/install/files/lib/page/AbstractArticlePage.class.php b/wcfsetup/install/files/lib/page/AbstractArticlePage.class.php
index 1c5645e5c3f3bf9eaacf4ed3768517071e605b5f..c880ce66e68b46d5ef2fdd7269b5242153cbc76b 100644 (file)
--- a/wcfsetup/install/files/lib/page/AbstractArticlePage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractArticlePage.class.php
@@ -94,24 +94,16 @@ abstract class AbstractArticlePage extends AbstractPage
         $this->article->getDiscussionProvider()->setArticleContent($this->articleContent->getDecoratedObject());
         $this->category = $this->article->getCategory();
 
+        if (!$this->article->canRead()) {
+            throw new PermissionDeniedException();
+        }
+
         // update interface language
         if (!WCF::getUser()->userID && $this->article->isMultilingual && $this->articleContent->languageID != WCF::getLanguage()->languageID) {
             WCF::setLanguage($this->articleContent->languageID);
         }
     }
 
-    /**
-     * @inheritDoc
-     */
-    public function checkPermissions()
-    {
-        parent::checkPermissions();
-
-        if (!$this->article->canRead()) {
-            throw new PermissionDeniedException();
-        }
-    }
-
     /**
      * @inheritDoc
      */