401 for unauthorised request to settings, notifications page fixes #714

framework/core/src/Forum/Controller/AuthorizedClientController.php

@@ -0,0 +1,30 @@
+<?php
+/*
+ * This file is part of Flarum.
+ *
+ * (c) Toby Zerner <toby.zerner@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Flarum\Forum\Controller;
+
+use Flarum\Core\User;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Flarum\Core\Exception\PermissionDeniedException;
+
+class AuthorizedClientController extends ClientController
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function render(Request $request)
+    {
+        if (!$request->getAttribute('session')->get('user_id')) {
+            throw new PermissionDeniedException;
+        }
+
+        return parent::render($request);
+    }
+}

framework/core/src/Forum/ForumServiceProvider.php

@@ -80,13 +80,13 @@ class ForumServiceProvider extends AbstractServiceProvider
         $routes->get(
             '/settings',
             'settings',
-            $toController('Flarum\Forum\Controller\ClientController')
+            $toController('Flarum\Forum\Controller\AuthorizedClientController')
         );
 
         $routes->get(
             '/notifications',
             'notifications',
-            $toController('Flarum\Forum\Controller\ClientController')
+            $toController('Flarum\Forum\Controller\AuthorizedClientController')
         );
 
         $routes->get(