ILIAS-eLearning · bidzanaaron · Dec 12, 2025
diff --git a/components/ILIAS/Feeds/resources/privfeed.php b/components/ILIAS/Feeds/resources/privfeed.php
@@ -29,75 +29,95 @@
 
 ilInitialisation::initILIAS();
 
-global $lng, $ilSetting;
+global $lng, $ilSetting, $DIC;
 
-$feed_set = new ilSetting("news");
+$feed_set = new ilSetting('news');
 
+$query = $DIC->http()->wrapper()->query();
+$refinery = $DIC->refinery();
+
+function sendUnauthorized()
+{
+    header('WWW-Authenticate: Basic realm="ILIAS Newsfeed"');
+    header('HTTP/1.0 401 Unauthorized');
+    exit;
+};
 
 if (!isset($_SERVER['PHP_AUTH_PW']) || !isset($_SERVER['PHP_AUTH_USER'])) {
-    Header("WWW-Authenticate: Basic realm=\"ILIAS Newsfeed\"");
-    Header("HTTP/1.0 401 Unauthorized");
+    sendUnauthorized();
+}
 
-    exit;
-} else {
-    if ($_GET["user_id"] != "" && ilObjUser::_getFeedPass($_GET["user_id"]) != "" &&
-        (md5($_SERVER['PHP_AUTH_PW']) == ilObjUser::_getFeedPass($_GET["user_id"]) &&
-            $_SERVER['PHP_AUTH_USER'] == ilObjUser::_lookupLogin($_GET["user_id"]))
-        && $feed_set->get("enable_private_feed")) {
-        include_once("./Services/Feeds/classes/class.ilUserFeedWriter.php");
-        // Third parameter is true for private feed
-        $writer = new ilUserFeedWriter($_GET["user_id"], $_GET["hash"], true);
+$auth_password_hash = md5($_SERVER['PHP_AUTH_PW']);
+$auth_username = $_SERVER['PHP_AUTH_USER'];
+
+$check_private_feed_auth = function ($user_id, $feed_pass, $login_name) use ($auth_password_hash, $auth_username, $feed_set) {
+    return $user_id > 0
+        && $feed_pass !== ''
+        && $feed_pass !== null
+        && $auth_password_hash === $feed_pass
+        && $auth_username === $login_name
+        && $feed_set->get('enable_private_feed');
+};
+
+$request_user_id = $query->retrieve('user_id', $refinery->byTrying([
+    $refinery->kindlyTo()->int(),
+    $refinery->always(0)
+]));
+
+if ($request_user_id > 0) {
+    $request_feed_pass = ilObjUser::_getFeedPass($request_user_id);
+    $request_login_name = ilObjUser::_lookupLogin($request_user_id);
+
+    if (
+        $feed_pass !== ''
+        && $feed_pass !== null
+        && $auth_password_hash === $feed_pass
+        && $auth_username === $login_name
+        && $feed_set->get('enable_private_feed')
+    ) {
+        $request_hash = $query->retrieve('hash', $refinery->byTrying([
+            $refinery->kindlyTo()->string(),
+            $refinery->always('')
+        ]));
+        $writer = new ilUserFeedWriter($request_user_id, $request_hash, true);
         $writer->showFeed();
-    } elseif ($_GET["ref_id"] != "" && md5($_SERVER['PHP_AUTH_PW']) == ilObjUser::_getFeedPass(ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER']))) {
-        include_once("./Services/Feeds/classes/class.ilObjectFeedWriter.php");
-        // Second parameter is optional to pass on to database-level to get news for logged-in users
-        $writer = new ilObjectFeedWriter($_GET["ref_id"], ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER']));
-        $writer->showFeed();
-    } else {
-        // send appropriate header, if password is wrong, otherwise
-        // there is no chance to re-enter it (unless, e.g. the browser is closed)
-        if (md5($_SERVER['PHP_AUTH_PW']) != ilObjUser::_getFeedPass(ilObjUser::_lookupId($_SERVER['PHP_AUTH_USER']))) {
-            Header("WWW-Authenticate: Basic realm=\"ILIAS Newsfeed\"");
-            Header("HTTP/1.0 401 Unauthorized");
-            exit;
-        }
-
-        include_once("./Services/Feeds/classes/class.ilFeedItem.php");
-        include_once("./Services/Feeds/classes/class.ilFeedWriter.php");
-
-        $blankFeedWriter = new ilFeedWriter();
-        $feed_item = new ilFeedItem();
-        $lng->loadLanguageModule("news");
-
-        if ($ilSetting->get('short_inst_name') != "") {
-            $blankFeedWriter->setChannelTitle($ilSetting->get('short_inst_name'));
-        } else {
-            $blankFeedWriter->setChannelTitle("ILIAS");
-        }
-
-
-
-
-        if (!$feed_set->get("enable_private_feed")) {
-            $blankFeedWriter->setChannelAbout(ILIAS_HTTP_PATH);
-            $blankFeedWriter->setChannelLink(ILIAS_HTTP_PATH);
-            // title
-            $feed_item->setTitle($lng->txt("priv_feed_no_access_title"));
-
-            // description
-            $feed_item->setDescription($lng->txt("priv_feed_no_access_body"));
-            $feed_item->setLink(ILIAS_HTTP_PATH);
-        } else {
-            $blankFeedWriter->setChannelAbout(ILIAS_HTTP_PATH);
-            $blankFeedWriter->setChannelLink(ILIAS_HTTP_PATH);
-            // title
-            $feed_item->setTitle($lng->txt("priv_feed_no_auth_title"));
-
-            // description
-            $feed_item->setDescription($lng->txt("priv_feed_no_auth_body"));
-            $feed_item->setLink(ILIAS_HTTP_PATH);
-        }
-        $blankFeedWriter->addItem($feed_item);
-        $blankFeedWriter->showFeed();
+        exit;
     }
 }
+
+$request_ref_id = $query->retrieve('ref_id', $refinery->byTrying([
+    $refinery->kindlyTo()->int(),
+    $refinery->always(0)
+]));
+
+$server_user_id = ilObjUser::_lookupId($auth_username);
+if ($server_user_id === null || $server_user_id === 0) {
+    sendUnauthorized();
+}
+
+$server_feed_pass = ilObjUser::_getFeedPass($server_user_id);
+if ($server_feed_pass === null || $auth_password_hash !== $server_feed_pass) {
+    sendUnauthorized();
+}
+
+if ($request_ref_id > 0) {
+    $writer = new ilObjectFeedWriter($request_ref_id, $server_user_id);
+    $writer->showFeed();
+    exit;
+}
+
+$blank_feed_writer = new ilFeedWriter();
+$feed_item = new ilFeedItem();
+$lng->loadLanguageModule('news');
+
+$channel_title = $ilSetting->get('short_inst_name');
+$blank_feed_writer->setChannelTitle($channel_title !== '' ? $channel_title : 'ILIAS');
+$blank_feed_writer->setChannelAbout(ILIAS_HTTP_PATH);
+$blank_feed_writer->setChannelLink(ILIAS_HTTP_PATH);
+
+$enable_private_feed = $feed_set->get('enable_private_feed');
+$feed_item->setTitle($lng->txt($enable_private_feed ? 'priv_feed_no_auth_title' : 'priv_feed_no_access_title'));
+$feed_item->setDescription($lng->txt($enable_private_feed ? 'priv_feed_no_auth_body' : 'priv_feed_no_access_body'));
+$feed_item->setLink(ILIAS_HTTP_PATH);
+$blank_feed_writer->addItem($feed_item);
+$blank_feed_writer->showFeed();