From f8b2b8c4153f8acdb4267a269ada27f8af22d7d9 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 25 Sep 2025 21:52:29 +0200
Subject: Prevent logout CSRFs (#7999)

By avoiding `FreshRSS_Context::initUser()` calls
---
 app/Controllers/authController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/Controllers/authController.php')

diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php
index 453851d22..1bdbc28b1 100644
--- a/app/Controllers/authController.php
+++ b/app/Controllers/authController.php
@@ -70,7 +70,7 @@ class FreshRSS_auth_Controller extends FreshRSS_ActionController {
 	 * the user is already connected.
 	 */
 	public function loginAction(): void {
-		if (FreshRSS_Auth::hasAccess() && Minz_Request::paramString('u') === '') {
+		if (FreshRSS_Auth::hasAccess() && !(FreshRSS_Context::systemConf()->unsafe_autologin_enabled && Minz_Request::paramString('u') !== '')) {
 			Minz_Request::forward(['c' => 'index', 'a' => 'index'], true);
 		}
 
-- 
cgit v1.2.3