From 72f260c76aed03cbfb414c164085bd6a9c412ba8 Mon Sep 17 00:00:00 2001
From: Rey5 <mtylweb@gmail.com>
Date: Sun, 7 May 2023 04:10:08 +0800
Subject: [PATCH] fix a user_can security problem

---
 include/globalfunctions.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/globalfunctions.php b/include/globalfunctions.php
index cbc0fd67..ec85a17a 100644
--- a/include/globalfunctions.php
+++ b/include/globalfunctions.php
@@ -1088,7 +1088,7 @@ function user_can($permission, $fail = false, $uid = 0): bool
         $uid = get_user_id();
         $log .= ", set current uid: $uid";
     }
-    if ($uid <= 0) {
+    if (!$fail && $uid <= 0) {
         do_log("$log, unauthenticated, false");
         return false;
     }