From 60cf5ea297a17db861e73cd65d7b7862bd6bcc24 Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Thu, 4 Dec 2025 08:46:11 +0100
Subject: Improve anonymous authentication logic (#8165)

* Improve anonymous authentication logic

* forgot to git add

* Fix incorrect token check

Because an empty parameter could be just passed if token for the user wasn't set: `&token=`
---
 app/Controllers/indexController.php | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

(limited to 'app/Controllers/indexController.php')

diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php
index bfa1eb521..fa46c3f3a 100644
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -200,14 +200,9 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 	 */
 	public function rssAction(): void {
 		$allow_anonymous = FreshRSS_Context::systemConf()->allow_anonymous;
-		$token = FreshRSS_Context::userConf()->token;
-		$token_param = Minz_Request::paramString('token');
-		$token_is_ok = ($token != '' && $token === $token_param);
 
 		// Check if user has access.
-		if (!FreshRSS_Auth::hasAccess() &&
-				!$allow_anonymous &&
-				!$token_is_ok) {
+		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous) {
 			Minz_Error::error(403);
 		}
 
@@ -241,12 +236,9 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 	 */
 	public function opmlAction(): void {
 		$allow_anonymous = FreshRSS_Context::systemConf()->allow_anonymous;
-		$token = FreshRSS_Context::userConf()->token;
-		$token_param = Minz_Request::paramString('token');
-		$token_is_ok = ($token != '' && $token === $token_param);
 
 		// Check if user has access.
-		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !$token_is_ok) {
+		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous) {
 			Minz_Error::error(403);
 		}
 
-- 
cgit v1.2.3