Prevent logout CSRFs (#7999)

By avoiding `FreshRSS_Context::initUser()` calls
author: Inverle <inverle@proton.me> 2025-09-25 21:52:29 +0200
committer: GitHub <noreply@github.com> 2025-09-25 21:52:29 +0200
commit: f8b2b8c4153f8acdb4267a269ada27f8af22d7d9 (patch)
tree: 688558861dbf7ad5c19569bbe9e57311825856de /app/Controllers/javascriptController.php
parent: 960c6c88a5f9b9e07f933147feb9717b0133988d (diff)
1 files changed, 5 insertions, 5 deletions
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index cd8d2522a..5fd925f72 100644
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -66,16 +66,16 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 		header('Cache-Control: private, no-cache, no-store, must-revalidate');
 		header('Pragma: no-cache');
 
-		$user = $_GET['user'] ?? '';
-		if (!is_string($user) || $user === '') {
+		$user = Minz_Request::paramString('user');
+		if ($user === '') {
 			Minz_Error::error(400);
 			return;
 		}
-		FreshRSS_Context::initUser($user);
-		if (FreshRSS_Context::hasUserConf()) {
+		$user_conf = get_user_configuration($user);
+		if ($user_conf !== null) {
 			try {
 				$salt = FreshRSS_Context::systemConf()->salt;
-				$s = FreshRSS_Context::userConf()->passwordHash;
+				$s = $user_conf->passwordHash;
 				if (strlen($s) >= 60) {
 					//CRYPT_BLOWFISH Salt: "$2a$", a two digit cost parameter, "$", and 22 characters from the alphabet "./0-9A-Za-z".
 					$this->view->salt1 = substr($s, 0, 29);
author	Inverle <inverle@proton.me>	2025-09-25 21:52:29 +0200
committer	GitHub <noreply@github.com>	2025-09-25 21:52:29 +0200
commit	f8b2b8c4153f8acdb4267a269ada27f8af22d7d9 (patch)
tree	688558861dbf7ad5c19569bbe9e57311825856de /app/Controllers/javascriptController.php
parent	960c6c88a5f9b9e07f933147feb9717b0133988d (diff)