diff options
| author | Michael Hamann <michael@content-space.de> | 2011-05-24 22:38:27 +0200 |
|---|---|---|
| committer | Michael Hamann <michael@content-space.de> | 2011-05-24 22:42:13 +0200 |
| commit | 31bc8f119cd896f19085ea120b89356393d4f8e6 (patch) | |
| tree | 052d634e73d3c90aa386200b6ec00a03f839f5b4 /inc | |
| parent | 76388d5c9afc51bec28898bfa445600b5e5711bc (diff) | |
| download | rpg-31bc8f119cd896f19085ea120b89356393d4f8e6.tar.gz rpg-31bc8f119cd896f19085ea120b89356393d4f8e6.tar.bz2 | |
Check permissions + security token in lock + draft modification FS#2265
This disables lock and draft creation for pages the user can't edit. It
additionally adds a security token to the draft creation and deletion
request so - at least for logged in users - drafts can't be created,
modified or deleted so easily anymore.
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/actions.php | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/inc/actions.php b/inc/actions.php index a36fdfd5b..ecf09036f 100644 --- a/inc/actions.php +++ b/inc/actions.php @@ -509,10 +509,14 @@ function act_edit($act){ if(!$DATE) $DATE = $INFO['meta']['date']['modified']; //check if locked by anyone - if not lock for my self - $lockedby = checklock($ID); - if($lockedby) return 'locked'; + //do not lock when the user can't edit anyway + if ($INFO['writable']) { + $lockedby = checklock($ID); + if($lockedby) return 'locked'; + + lock($ID); + } - lock($ID); return $act; } |