From 60cf5ea297a17db861e73cd65d7b7862bd6bcc24 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 4 Dec 2025 08:46:11 +0100
Subject: Improve anonymous authentication logic (#8165)

* Improve anonymous authentication logic

* forgot to git add

* Fix incorrect token check

Because an empty parameter could be just passed if token for the user wasn't set: `&token=`
---
 app/Controllers/feedController.php | 9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

(limited to 'app/Controllers/feedController.php')

diff --git a/app/Controllers/feedController.php b/app/Controllers/feedController.php
index b6ecbeec2..1829417c1 100644
--- a/app/Controllers/feedController.php
+++ b/app/Controllers/feedController.php
@@ -13,12 +13,6 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 	#[\Override]
 	public function firstAction(): void {
 		if (!FreshRSS_Auth::hasAccess()) {
-			// Token is useful in the case that anonymous refresh is forbidden
-			// and CRON task cannot be used with php command so the user can
-			// set a CRON task to refresh his feeds by using token inside url
-			$token = FreshRSS_Context::userConf()->token;
-			$token_param = Minz_Request::paramString('token');
-			$token_is_ok = ($token != '' && $token == $token_param);
 			$action = Minz_Request::actionName();
 			$allow_anonymous_refresh = FreshRSS_Context::systemConf()->allow_anonymous_refresh;
 
@@ -28,8 +22,7 @@ class FreshRSS_feed_Controller extends FreshRSS_ActionController {
 				return;
 			}
 
-			if ($action !== 'actualize' ||
-					!($allow_anonymous_refresh || $token_is_ok)) {
+			if ($action !== 'actualize' || !$allow_anonymous_refresh) {
 				Minz_Error::error(403);
 			}
 		}
-- 
cgit v1.2.3