From: Marcel Werk Date: Mon, 23 Dec 2024 13:34:07 +0000 (+0100) Subject: Fix issue with the accessibility of RSS feeds when "force login" is active X-Git-Tag: 6.1.3_dev_1~10^2 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=3fa87b3e8028da4ca54949574888c67b66a0708a;p=GitHub%2FWoltLab%2FWCF.git Fix issue with the accessibility of RSS feeds when "force login" is active The pages were generally not accessible for users who were not logged in, as the access token was only evaluated after the CheckForForceLogin middleware had been executed. --- diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php index 0876d651ca..5106167198 100644 --- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php +++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php @@ -4,6 +4,7 @@ namespace wcf\page; use wcf\data\user\User; use wcf\system\exception\IllegalLinkException; +use wcf\system\exception\PermissionDeniedException; use wcf\system\session\SessionHandler; use wcf\system\WCF; @@ -17,6 +18,12 @@ use wcf\system\WCF; */ abstract class AbstractAuthedPage extends AbstractPage { + /** + * If “Force login” is active, this page is faked as available during offline mode + * in order to bypass the CheckForForceLogin middleware. + */ + public const AVAILABLE_DURING_OFFLINE_MODE = \FORCE_LOGIN; + /** * @inheritDoc */ @@ -24,8 +31,16 @@ abstract class AbstractAuthedPage extends AbstractPage { parent::readParameters(); + if (\OFFLINE) { + throw new IllegalLinkException(); + } + // check security token $this->checkAccessToken(); + + if (\FORCE_LOGIN && !WCF::getUser()->userID) { + throw new PermissionDeniedException(); + } } /**