From 3fa87b3e8028da4ca54949574888c67b66a0708a Mon Sep 17 00:00:00 2001 From: Marcel Werk Date: Mon, 23 Dec 2024 14:34:07 +0100 Subject: [PATCH] Fix issue with the accessibility of RSS feeds when "force login" is active The pages were generally not accessible for users who were not logged in, as the access token was only evaluated after the CheckForForceLogin middleware had been executed. --- .../files/lib/page/AbstractAuthedPage.class.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php index 0876d651ca..5106167198 100644 --- a/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php +++ b/wcfsetup/install/files/lib/page/AbstractAuthedPage.class.php @@ -4,6 +4,7 @@ namespace wcf\page; use wcf\data\user\User; use wcf\system\exception\IllegalLinkException; +use wcf\system\exception\PermissionDeniedException; use wcf\system\session\SessionHandler; use wcf\system\WCF; @@ -17,6 +18,12 @@ use wcf\system\WCF; */ abstract class AbstractAuthedPage extends AbstractPage { + /** + * If “Force login” is active, this page is faked as available during offline mode + * in order to bypass the CheckForForceLogin middleware. + */ + public const AVAILABLE_DURING_OFFLINE_MODE = \FORCE_LOGIN; + /** * @inheritDoc */ @@ -24,8 +31,16 @@ abstract class AbstractAuthedPage extends AbstractPage { parent::readParameters(); + if (\OFFLINE) { + throw new IllegalLinkException(); + } + // check security token $this->checkAccessToken(); + + if (\FORCE_LOGIN && !WCF::getUser()->userID) { + throw new PermissionDeniedException(); + } } /** -- 2.20.1