From bf2de1baea2624a26738ee4fec9dfd36621e2aec Mon Sep 17 00:00:00 2001
From: Inverle <inverle@proton.me>
Date: Fri, 5 Jun 2026 22:38:17 +0200
Subject: [PATCH] Fix access control in `rss` and `opml` actions (#8912)

Due to missing `return` statement while using `redirect: false`, no `exit()` is done during `Minz_Error::error()`

Regression from https://github.com/FreshRSS/FreshRSS/pull/8434
---
 app/Controllers/indexController.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app/Controllers/indexController.php b/app/Controllers/indexController.php
index 50cfefaa6..8ccaa45c6 100644
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -251,6 +251,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 		// Check if user has access.
 		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !Minz_Request::tokenIsOk()) {
 			Minz_Error::error(403, redirect: false);
+			return;
 		}
 
 		try {
@@ -287,6 +288,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 		// Check if user has access.
 		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !Minz_Request::tokenIsOk()) {
 			Minz_Error::error(403, redirect: false);
+			return;
 		}
 
 		try {