Fix access control in rss and opml actions (#8912)

Due to missing `return` statement while using `redirect: false`, no `exit()` is done during `Minz_Error::error()` Regression from https://github.com/FreshRSS/FreshRSS/pull/8434
2026-06-11 09:07:37 -04:00 · 2026-06-05 22:38:17 +02:00
parent aaae9ee388
commit bf2de1baea
1 changed files with 2 additions and 0 deletions
--- a/app/Controllers/indexController.php
+++ b/app/Controllers/indexController.php
@@ -251,6 +251,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 		// Check if user has access.
 		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !Minz_Request::tokenIsOk()) {
 			Minz_Error::error(403, redirect: false);
+			return;
 		}

 		try {
@@ -287,6 +288,7 @@ class FreshRSS_index_Controller extends FreshRSS_ActionController {
 		// Check if user has access.
 		if (!FreshRSS_Auth::hasAccess() && !$allow_anonymous && !Minz_Request::tokenIsOk()) {
 			Minz_Error::error(403, redirect: false);
+			return;
 		}

 		try {