From 4eaa2c8d37c583e66d33d53b04ff3ad9f3fc01b0 Mon Sep 17 00:00:00 2001 From: Sebastian Grewe Date: Fri, 21 Jun 2013 20:21:27 +0200 Subject: [PATCH] hotfix for news page accessible by all users --- public/include/pages/admin/news.inc.php | 6 ++++++ public/include/pages/admin/news_edit.inc.php | 16 +++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/public/include/pages/admin/news.inc.php b/public/include/pages/admin/news.inc.php index ef7fb3dc..df0bb2fc 100644 --- a/public/include/pages/admin/news.inc.php +++ b/public/include/pages/admin/news.inc.php @@ -3,6 +3,12 @@ // Make sure we are called from index.php if (!defined('SECURITY')) die('Hacking attempt'); +// Check user to ensure they are admin +if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) { + header("HTTP/1.1 404 Page not found"); + die("404 Page not found"); +} + // Include markdown library use \Michelf\Markdown; diff --git a/public/include/pages/admin/news_edit.inc.php b/public/include/pages/admin/news_edit.inc.php index 7e6a6730..81cfcb56 100644 --- a/public/include/pages/admin/news_edit.inc.php +++ b/public/include/pages/admin/news_edit.inc.php @@ -3,15 +3,21 @@ // Make sure we are called from index.php if (!defined('SECURITY')) die('Hacking attempt'); +// Check user to ensure they are admin +if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) { + header("HTTP/1.1 404 Page not found"); + die("404 Page not found"); +} + // Include markdown library use \Michelf\Markdown; if (@$_REQUEST['do'] == 'save') { - if ($news->updateNews($_REQUEST['id'], $_REQUEST['header'], $_REQUEST['content'], $_REQUEST['active'])) { - $_SESSION['POPUP'][] = array('CONTENT' => 'News updated', 'TYPE' => 'success'); - } else { - $_SESSION['POPUP'][] = array('CONTENT' => 'News update failed: ' . $news->getError(), 'TYPE' => 'errormsg'); - } + if ($news->updateNews($_REQUEST['id'], $_REQUEST['header'], $_REQUEST['content'], $_REQUEST['active'])) { + $_SESSION['POPUP'][] = array('CONTENT' => 'News updated', 'TYPE' => 'success'); + } else { + $_SESSION['POPUP'][] = array('CONTENT' => 'News update failed: ' . $news->getError(), 'TYPE' => 'errormsg'); + } } // Fetch news entry