From fca077a6cbdc2b512c5b7a3bfd2515a7a073fa14 Mon Sep 17 00:00:00 2001
From: Alexander Ebert <ebert@woltlab.com>
Date: Thu, 13 Oct 2011 20:12:42 +0200
Subject: [PATCH] By default, guests may not access actions

---
 .../lib/data/AbstractDatabaseObjectAction.class.php   | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php b/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
index add8819da9..5242b3885b 100644
--- a/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
+++ b/wcfsetup/install/files/lib/data/AbstractDatabaseObjectAction.class.php
@@ -72,6 +72,12 @@ abstract class AbstractDatabaseObjectAction implements IDatabaseObjectAction {
 	 */
 	protected $returnValues = null;
 	
+	/**
+	 * disallow guest access
+	 * @var	boolean
+	 */
+	protected $allowGuestAccess = false;
+	
 	/**
 	 * Initialized a new DatabaseObject-related action.
 	 *
@@ -92,6 +98,11 @@ abstract class AbstractDatabaseObjectAction implements IDatabaseObjectAction {
 	 * @see	wcf\data\IDatabaseObjectAction::validateAction()
 	 */
 	public function validateAction() {
+		// validate if user is logged in
+		if (!$this->allowGuestAccess && !WCF::getUser()->userID) {
+			throw new ValidateActionException("Please login before executing this action");
+		}
+		
 		// validate action name
 		if (!method_exists($this, $this->getActionName())) {
 			throw new ValidateActionException("unknown action '".$this->getActionName()."'");
-- 
2.20.1