Fix trusted cidrs check (#5853)

* Fix ignored TRUSTED_PROXY issue

* Add a sub-section to the docs no property mappings for Authentik

* Typo

* Fix typing

* A few changes to the doc

---------

Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>

docs/en/admins/09_AccessControl.md

@@ -34,6 +34,26 @@ You may alternatively pass a `TRUSTED_PROXY` environment variable in a format co
 
 > ☠️ WARNING: FreshRSS will trust any IP configured in the `trusted_sources` option, if your proxy isn’t properly secured, an attacker could simply attach this header and get admin access.
 
+### Authentik Proxy Provider
+
+If you wish to use external authentication with [Authentik](https://goauthentik.io/),
+you will need to configure a [Proxy Provider](https://goauthentik.io/docs/providers/proxy/) with a *Property Mapping* that tells Authentik to inject the `X-WebAuth-User` HTTP header.
+You can do so with the following expression:
+
+```python
+return {
+    "ak_proxy": {
+        "user_attributes": {
+            "additionalHeaders": {
+                "X-WebAuth-User": request.user.username,
+            }
+        }
+    }
+}
+```
+
+See also another option for Authentik, [using the OAuth2 Provider with OpenID](16_OpenID-Connect-Authentik.md).
+
 ## No Authentication
 
 Not using authentication on your server is dangerous, as anyone with access to your server would be able to make changes as an admin.

lib/lib_rss.php

@@ -683,10 +683,10 @@ function checkTrustedIP(): bool {
 	if ($trusted != 0 && is_string($trusted)) {
 		$trusted = preg_split('/\s+/', $trusted, -1, PREG_SPLIT_NO_EMPTY);
 	}
-	if (empty($trusted)) {
+	if (!is_array($trusted) || empty($trusted)) {
 		$trusted = FreshRSS_Context::$system_conf->trusted_sources;
 	}
-	foreach (FreshRSS_Context::$system_conf->trusted_sources as $cidr) {
+	foreach ($trusted as $cidr) {
 		if (checkCIDR($remoteIp, $cidr)) {
 			return true;
 		}