From 79512ef9475ec7d53db2a276e01e23ae8d1b6f17 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Fri, 20 May 2022 10:12:09 +0200
Subject: [PATCH] Add `CheckForEnterpriseNonOwnerAccess` middleware

---
 ...CheckForEnterpriseNonOwnerAccess.class.php | 43 +++++++++++++++++++
 .../system/request/RequestHandler.class.php   | 13 +-----
 2 files changed, 45 insertions(+), 11 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php

diff --git a/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php b/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php
new file mode 100644
index 0000000000..aae1ffb1e8
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/CheckForEnterpriseNonOwnerAccess.class.php
@@ -0,0 +1,43 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\system\exception\IllegalLinkException;
+use wcf\system\request\RequestHandler;
+use wcf\system\WCF;
+
+/**
+ * Restricts access to certain ACP pages for non-owners.
+ *
+ * @author  Tim Duesterhus
+ * @copyright   2001-2022 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package WoltLabSuite\Core\Http\Middleware
+ * @since   5.6
+ */
+final class CheckForEnterpriseNonOwnerAccess implements MiddlewareInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $requestHandler = RequestHandler::getInstance();
+
+        if (
+            $requestHandler->isACPRequest()
+            && \ENABLE_ENTERPRISE_MODE
+            && \defined($requestHandler->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
+            && \constant($requestHandler->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
+            && !WCF::getUser()->hasOwnerAccess()
+        ) {
+            throw new IllegalLinkException();
+        }
+
+        return $handler->handle($request);
+    }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 6c57cd2668..9b4c719ff3 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -6,6 +6,7 @@ use Laminas\Diactoros\ServerRequestFactory;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use wcf\http\LegacyPlaceholderResponse;
 use wcf\http\middleware\AddAcpSecurityHeaders;
+use wcf\http\middleware\CheckForEnterpriseNonOwnerAccess;
 use wcf\http\middleware\CheckForExpiredAppEvaluation;
 use wcf\http\middleware\CheckForOfflineMode;
 use wcf\http\middleware\EnforceCacheControlPrivate;
@@ -84,21 +85,11 @@ class RequestHandler extends SingletonFactory
             // build request
             $this->buildRequest($application);
 
-            // enforce that certain ACP pages are not available for non-owners in enterprise mode
-            if (
-                $this->isACPRequest()
-                && ENABLE_ENTERPRISE_MODE
-                && \defined($this->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
-                && \constant($this->getActiveRequest()->getClassName() . '::BLACKLISTED_IN_ENTERPRISE_MODE')
-                && !WCF::getUser()->hasOwnerAccess()
-            ) {
-                throw new IllegalLinkException();
-            }
-
             $pipeline = new Pipeline([
                 new AddAcpSecurityHeaders(),
                 new EnforceCacheControlPrivate(),
                 new EnforceFrameOptions(),
+                new CheckForEnterpriseNonOwnerAccess(),
                 new CheckForExpiredAppEvaluation(),
                 new CheckForOfflineMode(),
             ]);
-- 
2.20.1