Fix missing permission check to load profile like lists

diff --git a/wcfsetup/install/files/lib/data/like/LikeAction.class.php b/wcfsetup/install/files/lib/data/like/LikeAction.class.php
index 1546578539bcde41fc370b6b7265a6456bb15e89..22e08502e29adf0402ca7daf0341870e318d4013 100644 (file)
--- a/wcfsetup/install/files/lib/data/like/LikeAction.class.php
+++ b/wcfsetup/install/files/lib/data/like/LikeAction.class.php
@@ -6,6 +6,8 @@ use wcf\data\user\User;
 use wcf\data\user\UserEditor;
 use wcf\data\AbstractDatabaseObjectAction;
 use wcf\data\IGroupedUserListAction;
+use wcf\system\cache\runtime\UserProfileRuntimeCache;
+use wcf\system\exception\IllegalLinkException;
 use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\UserInputException;
 use wcf\system\like\LikeHandler;
@@ -287,10 +289,24 @@ class LikeAction extends AbstractDatabaseObjectAction implements IGroupedUserLis
         * Validates parameters to load likes.
         */
        public function validateLoad() {
+               if (!MODULE_LIKE) {
+                       throw new IllegalLinkException();
+               }
+               
                $this->readInteger('lastLikeTime', true);
                $this->readInteger('userID');
                $this->readInteger('likeValue');
                $this->readString('likeType');
+               
+               $user = UserProfileRuntimeCache::getInstance()->getObject($this->parameters['userID']);
+               
+               if ($user === null) {
+                       throw new IllegalLinkException();
+               }
+               
+               if ($user->isProtected()) {
+                       throw new PermissionDeniedException();
+               }
        }
        
        /**