check for admin in AJAX backend

author: Andreas Gohr <andi@splitbrain.org> 2014-01-06 21:25:59 +0100
committer: Andreas Gohr <andi@splitbrain.org> 2014-01-06 21:25:59 +0100
commit: da5f0eee25838368de375eb14d345b70ae3cbc7a (patch)
tree: dd8600ecbbe8e5b4a471240f6451271577db9368 /lib/plugins/extension
parent: 0826f6cbd906e92fd040dfd3377f1b2a9db13873 (diff)
download: rpg-da5f0eee25838368de375eb14d345b70ae3cbc7a.tar.gz
rpg-da5f0eee25838368de375eb14d345b70ae3cbc7a.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/plugins/extension/action.php b/lib/plugins/extension/action.php
index 0d6e7d996..9dd1648ff 100644
--- a/lib/plugins/extension/action.php
+++ b/lib/plugins/extension/action.php
@@ -29,7 +29,15 @@ class action_plugin_extension extends DokuWiki_Action_Plugin {
      * @param            $param
      */
     public function info(Doku_Event &$event, $param){
+        global $USERINFO;
         global $INPUT;
+
+        if(empty($_SERVER['REMOTE_USER']) || !auth_isadmin($_SERVER['REMOTE_USER'], $USERINFO['grps'])){
+            http_status(403);
+            echo 'Forbidden';
+            exit;
+        }
+
         if($event->data != 'plugin_extension') return;
         $event->preventDefault();
         $event->stopPropagation();
author	Andreas Gohr <andi@splitbrain.org>	2014-01-06 21:25:59 +0100
committer	Andreas Gohr <andi@splitbrain.org>	2014-01-06 21:25:59 +0100
commit	da5f0eee25838368de375eb14d345b70ae3cbc7a (patch)
tree	dd8600ecbbe8e5b4a471240f6451271577db9368 /lib/plugins/extension
parent	0826f6cbd906e92fd040dfd3377f1b2a9db13873 (diff)
download	rpg-da5f0eee25838368de375eb14d345b70ae3cbc7a.tar.gz rpg-da5f0eee25838368de375eb14d345b70ae3cbc7a.tar.bz2