From 609dd78bf744fee68f808b6e3f30d9cb62b20d3c Mon Sep 17 00:00:00 2001
From: Benjamin DALSASS <benjamin.dalsass@combodo.com>
Date: Thu, 5 Mar 2026 07:19:54 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B08612=20-=20force=20authentication=20for?=
 =?UTF-8?q?=20inline=20image=20endpoints?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pages/ajax.document.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index 3320c298ff..69c9d0a03d 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -34,6 +34,8 @@ try {
 	require_once(APPROOT.'/application/startup.inc.php');
 
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
+	LoginWebPage::DoLoginEx();
+
 	IssueLog::Trace('----- Request: '.utils::GetRequestUri(), LogChannels::WEB_REQUEST);
 
 	$oPage = new DownloadPage("");
@@ -43,7 +45,6 @@ try {
 
 	switch ($operation) {
 		case 'download_document':
-			LoginWebPage::DoLoginEx('backoffice', false);
 			$id = utils::ReadParam('id', '');
 			$sField = utils::ReadParam('field', '');
 			if ($sClass == 'Attachment') {
@@ -63,8 +64,6 @@ try {
 			break;
 
 		case 'download_inlineimage':
-			// No login is required because the "secret" protects us
-			// Benefit: the inline image can be inserted into any HTML (templating = $this->html(public_log)$)
 			$id = utils::ReadParam('id', '');
 			$sSecret = utils::ReadParam('s', '');
 			$iCacheSec = 31556926; // One year ahead: an inline image cannot change