By default, guests may not access actions

diff --git a/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php b/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
index add8819da989dc9789c16cd0ec0bc9777705f8f7..5242b3885b5d9b048f0b54ab047c235be6f4481b 100644 (file)
--- a/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
+++ b/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
@@ -72,6 +72,12 @@ abstract class AbstractDatabaseObjectAction implements IDatabaseObjectAction {
         */
        protected $returnValues = null;
        
+       /**
+        * disallow guest access
+        * @var boolean
+        */
+       protected $allowGuestAccess = false;
+       
        /**
         * Initialized a new DatabaseObject-related action.
         *
@@ -92,6 +98,11 @@ abstract class AbstractDatabaseObjectAction implements IDatabaseObjectAction {
         * @see wcf\data\IDatabaseObjectAction::validateAction()
         */
        public function validateAction() {
+               // validate if user is logged in
+               if (!$this->allowGuestAccess && !WCF::getUser()->userID) {
+                       throw new ValidateActionException("Please login before executing this action");
+               }
+               
                // validate action name
                if (!method_exists($this, $this->getActionName())) {
                        throw new ValidateActionException("unknown action '".$this->getActionName()."'");