fixed information leakage in ACL plugin FS#1847

1 files changed, 4 insertions, 1 deletions

diff --git a/lib/plugins/acl/ajax.php b/lib/plugins/acl/ajax.php
index 54eaa8dc7..97fae2ad1 100644
--- a/lib/plugins/acl/ajax.php
+++ b/lib/plugins/acl/ajax.php
@@ -16,9 +16,11 @@ require_once(DOKU_INC.'inc/init.php');
 require_once(DOKU_INC.'inc/common.php');
 require_once(DOKU_INC.'inc/pageutils.php');
 require_once(DOKU_INC.'inc/auth.php');
-//close sesseion
+//close session
 session_write_close();
 
+if(!auth_ismanager()) die('forbidden');
+
 $ID    = getID();
 
 if(!auth_isadmin) die('for admins only');
@@ -42,6 +44,7 @@ if($ajax == 'info'){
     if($ns == '*'){
         $ns ='';
     }
+    $ns  = cleanID($ns);
     $lvl = count(explode(':',$ns));
     $ns  = utf8_encodeFN(str_replace(':','/',$ns));