1 files changed, 3 insertions, 2 deletions

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 5b16e3f89..5bf0011d0 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -76,8 +76,9 @@ class FreshRSS extends Minz_FrontController {
 			}
 			if (!(FreshRSS_Auth::isCsrfOk() ||
 				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
-				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' &&
-					!FreshRSS_Auth::hasAccess('admin'))
+				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' && !FreshRSS_Auth::hasAccess('admin')) ||
+				(Minz_Request::controllerName() === 'feed' && Minz_Request::actionName() === 'actualize' && FreshRSS_Context::$system_conf->allow_anonymous_refresh) ||
+				(Minz_Request::controllerName() === 'javascript' && Minz_Request::actionName() === 'actualize' && FreshRSS_Context::$system_conf->allow_anonymous)
 				)) {
 				// Token-based protection against XSRF attacks, except for the login or self-create user forms
 				self::initI18n();