From 5ca961b8d5130b54d3c5ec664574eac39a88de87 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Thu, 31 Dec 2020 00:13:29 +0100
Subject: Fix bugs in anomymous mode (#3305)

* Fix bugs in anomymous mode

Login bug (submit button not working) and refresh bug (JS null
exception, and then 403).

* Take advantage of existing variable
---
 app/FreshRSS.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'app/FreshRSS.php')

diff --git a/app/FreshRSS.php b/app/FreshRSS.php
index 5b16e3f89..5bf0011d0 100644
--- a/app/FreshRSS.php
+++ b/app/FreshRSS.php
@@ -76,8 +76,9 @@ class FreshRSS extends Minz_FrontController {
 			}
 			if (!(FreshRSS_Auth::isCsrfOk() ||
 				(Minz_Request::controllerName() === 'auth' && Minz_Request::actionName() === 'login') ||
-				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' &&
-					!FreshRSS_Auth::hasAccess('admin'))
+				(Minz_Request::controllerName() === 'user' && Minz_Request::actionName() === 'create' && !FreshRSS_Auth::hasAccess('admin')) ||
+				(Minz_Request::controllerName() === 'feed' && Minz_Request::actionName() === 'actualize' && FreshRSS_Context::$system_conf->allow_anonymous_refresh) ||
+				(Minz_Request::controllerName() === 'javascript' && Minz_Request::actionName() === 'actualize' && FreshRSS_Context::$system_conf->allow_anonymous)
 				)) {
 				// Token-based protection against XSRF attacks, except for the login or self-create user forms
 				self::initI18n();
-- 
cgit v1.2.3