Add missing access checks for feed-related actions (#7768)

* Add missing access checks for feed-related actions

* fix whitespace

2 files changed, 17 insertions, 0 deletions

diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 8d39a9d0c..cd8d2522a 100644
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -19,6 +19,14 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 	}
 
 	public function actualizeAction(): void {
+		if (!FreshRSS_Auth::hasAccess() && !(
+			FreshRSS_Context::systemConf()->allow_anonymous
+			&& FreshRSS_Context::systemConf()->allow_anonymous_refresh
+			)) {
+			Minz_Error::error(403);
+			return;
+		}
+
 		header('Content-Type: application/json; charset=UTF-8');
 		Minz_Session::_param('actualize_feeds', false);
 
@@ -34,6 +42,11 @@ class FreshRSS_javascript_Controller extends FreshRSS_ActionController {
 	}
 
 	public function nbUnreadsPerFeedAction(): void {
+		if (!FreshRSS_Auth::hasAccess() && !FreshRSS_Context::systemConf()->allow_anonymous) {
+			Minz_Error::error(403);
+			return;
+		}
+
 		header('Content-Type: application/json; charset=UTF-8');
 		$catDAO = FreshRSS_Factory::createCategoryDao();
 		$this->view->categories = $catDAO->listCategories(prePopulateFeeds: true, details: false);
diff --git a/app/Controllers/tagController.php b/app/Controllers/tagController.php
index 68047656e..da7e0c2da 100644
--- a/app/Controllers/tagController.php
+++ b/app/Controllers/tagController.php
@@ -89,6 +89,10 @@ class FreshRSS_tag_Controller extends FreshRSS_ActionController {
 	 * This action updates the given tag.
 	 */
 	public function updateAction(): void {
+		if (!FreshRSS_Auth::hasAccess()) {
+			Minz_Error::error(403);
+			return;
+		}
 		if (Minz_Request::paramBoolean('ajax')) {
 			$this->view->_layout(null);
 		}