Properly handle userIDs referring to non-existent users in AbstractAuthedPage

author Tim Düsterhus <duesterhus@woltlab.com>

Tue, 11 Feb 2020 10:32:41 +0000 (11:32 +0100)

committer Tim Düsterhus <duesterhus@woltlab.com>

Tue, 11 Feb 2020 10:33:37 +0000 (11:33 +0100)
author Tim Düsterhus <duesterhus@woltlab.com>
Tue, 11 Feb 2020 10:32:41 +0000 (11:32 +0100)
committer Tim Düsterhus <duesterhus@woltlab.com>
Tue, 11 Feb 2020 10:33:37 +0000 (11:33 +0100)
diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php

index 995768b09f9b3f12f68585aa6b69bb20b99b94ee..86ec3056f45dd256c9e2df41b0337e9cafaefc6c 100644 (file)
--- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
+++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php
@@ -47,7 +47,7 @@ abstract class AbstractAuthedPage extends AbstractPage {
                                 }
                                 else {
                                         $user = new User($userID);
-                                       if (\hash_equals($user->accessToken, $token) && !$user->banned) {
+                                       if ($user->userID && $user->accessToken && \hash_equals($user->accessToken, $token) && !$user->banned) {
                                                 // token is valid and user is not banned -> change user
                                                 SessionHandler::getInstance()->changeUser($user, true);
                                         }
author	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 11 Feb 2020 10:32:41 +0000 (11:32 +0100)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Tue, 11 Feb 2020 10:33:37 +0000 (11:33 +0100)