diff options
| author |  Inverle <inverle@proton.me>
| 2025-12-04 08:46:11 +0100 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2025-12-04 08:46:11 +0100 |
| commit | 60cf5ea297a17db861e73cd65d7b7862bd6bcc24 (patch) | |
| tree | e1f9a123f79a3f5b449777ea2c17d98ca897adfb /app/Controllers/indexController.php | |
| parent | 1621f12a15855b3e1b98d58b6e8effe959926b46 (diff) | |
Improve anonymous authentication logic (#8165)
* Improve anonymous authentication logic
* forgot to git add
* Fix incorrect token check
Because an empty parameter could be just passed if token for the user wasn't set: `&token=`
Diffstat (limited to 'app/Controllers/indexController.php')
| -rw-r--r-- | app/Controllers/indexController.php | 12 |
1 files changed, 2 insertions, 10 deletions
diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php index bfa1eb521..fa46c3f3a 100644 --- a/app/Controllers/indexController.php +++ b/app/Controllers/indexController.php @@ -200,14 +200,9 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController { */ public function rssAction(): void { $allow_anonymous = FreshRSS_Context::systemConf()->allow_anonymous; - $token = FreshRSS_Context::userConf()->token; - $token_param = Minz_Request::paramString('token'); - $token_is_ok = ($token != '' && $token === $token_param); // Check if user has access. - if (!FreshRSS_Auth::hasAccess() && - !$allow_anonymous && - !$token_is_ok) { + if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous) { Minz_Error::error(403); } @@ -241,12 +236,9 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController { */ public function opmlAction(): void { $allow_anonymous = FreshRSS_Context::systemConf()->allow_anonymous; - $token = FreshRSS_Context::userConf()->token; - $token_param = Minz_Request::paramString('token'); - $token_is_ok = ($token != '' && $token === $token_param); // Check if user has access. - if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !$token_is_ok) { + if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous) { Minz_Error::error(403); } |