Add `CheckForEnterpriseNonOwnerAccess` middleware

diff --git a/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php b/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php
new file mode 100644 (file)
index 0000000..aae1ffb
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\system\exception\IllegalLinkException;
+use wcf\system\request\RequestHandler;
+use wcf\system\WCF;
+
+/**
+ * Restricts access to certain ACP pages for non-owners.
+ *
+ * @author  Tim Duesterhus
+ * @copyright   2001-2022 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package WoltLabSuite\Core\Http\Middleware
+ * @since   5.6
+ */
+final class CheckForEnterpriseNonOwnerAccess implements MiddlewareInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $requestHandler = RequestHandler::getInstance();
+
+        if (
+            $requestHandler->isACPRequest()
+            && \ENABLE_ENTERPRISE_MODE
+            && \defined($requestHandler->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
+            && \constant($requestHandler->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
+            && !WCF::getUser()->hasOwnerAccess()
+        ) {
+            throw new IllegalLinkException();
+        }
+
+        return $handler->handle($request);
+    }
+}

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 6c57cd2668867c9e3df42e88504e935ca4cf9eda..9b4c719ff3e51909f6b2f5b4132fdad3a5d9e8d7 100644 (file)
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -6,6 +6,7 @@ use Laminas\Diactoros\ServerRequestFactory;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use wcf\http\LegacyPlaceholderResponse;
 use wcf\http\middleware\AddAcpSecurityHeaders;
+use wcf\http\middleware\CheckForEnterpriseNonOwnerAccess;
 use wcf\http\middleware\CheckForExpiredAppEvaluation;
 use wcf\http\middleware\CheckForOfflineMode;
 use wcf\http\middleware\EnforceCacheControlPrivate;
@@ -84,21 +85,11 @@ class RequestHandler extends SingletonFactory
             // build request
             $this->buildRequest($application);
 
-            // enforce that certain ACP pages are not available for non-owners in enterprise mode
-            if (
-                $this->isACPRequest()
-                && ENABLE_ENTERPRISE_MODE
-                && \defined($this->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
-                && \constant($this->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
-                && !WCF::getUser()->hasOwnerAccess()
-            ) {
-                throw new IllegalLinkException();
-            }
-
             $pipeline = new Pipeline([
                 new AddAcpSecurityHeaders(),
                 new EnforceCacheControlPrivate(),
                 new EnforceFrameOptions(),
+                new CheckForEnterpriseNonOwnerAccess(),
                 new CheckForExpiredAppEvaluation(),
                 new CheckForOfflineMode(),
             ]);