From 19039fd07b1f8a0d68ca9fe90ff2eb103443f4f5 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <fox@madoka.volgo-balt.ru>
Date: Wed, 9 Feb 2011 12:37:50 +0300
Subject: [PATCH] backend/rss: better error reporting for unauthorized feeds,
 do not automatically fallback on active session id when key has been provided
 (refs #318)

---
 backend.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/backend.php b/backend.php
index c7bd6180..4c9813cd 100644
--- a/backend.php
+++ b/backend.php
@@ -465,17 +465,21 @@
 			}
 
 			if ($key) {
+				$_SESSION['uid'] = false; // do not fallback to active session id
+
 				$result = db_query($link, "SELECT owner_uid FROM
 					ttrss_access_keys WHERE access_key = '$key' AND feed_id = '$feed'");
 
 				if (db_num_rows($result) == 1)
 					$_SESSION["uid"] = db_fetch_result($result, 0, "owner_uid");
-
 			}
 
 			if ($_SESSION["uid"]) {
 				generate_syndicated_feed($link, 0, $feed, $is_cat, $limit,
 					$search, $search_mode, $match_on, $view_mode);
+			} else {
+				header('HTTP/1.1 403 Forbidden');
+				print_error_xml(6); die;
 			}
 		break; // rss
 
-- 
2.39.5