Update action.php

fix bug that only allows admins any AJAX calls
author: jgpcx <jerry@gpcx.de> 2014-01-28 17:02:25 +0100
committer: jgpcx <jerry@gpcx.de> 2014-01-28 17:02:25 +0100
commit: b15cd32d2f75fbf943eda38a7b90f05d2806dae5 (patch)
tree: 1fe038b5755289cc2b1b4f3d85686961d64ddb23 /lib/plugins
parent: 48ccdc135140fd87d4dde1552692c507f3b5301f (diff)
download: rpg-b15cd32d2f75fbf943eda38a7b90f05d2806dae5.tar.gz
rpg-b15cd32d2f75fbf943eda38a7b90f05d2806dae5.tar.bz2
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/plugins/extension/action.php b/lib/plugins/extension/action.php
index 9dd1648ff..3f2ccaace 100644
--- a/lib/plugins/extension/action.php
+++ b/lib/plugins/extension/action.php
@@ -32,16 +32,17 @@ class action_plugin_extension extends DokuWiki_Action_Plugin {
         global $USERINFO;
         global $INPUT;
 
+
+        if($event->data != 'plugin_extension') return;
+        $event->preventDefault();
+        $event->stopPropagation();
+
         if(empty($_SERVER['REMOTE_USER']) || !auth_isadmin($_SERVER['REMOTE_USER'], $USERINFO['grps'])){
             http_status(403);
             echo 'Forbidden';
             exit;
         }
 
-        if($event->data != 'plugin_extension') return;
-        $event->preventDefault();
-        $event->stopPropagation();
-
         header('Content-Type: text/html; charset=utf-8');
 
         $ext = $INPUT->str('ext');
author	jgpcx <jerry@gpcx.de>	2014-01-28 17:02:25 +0100
committer	jgpcx <jerry@gpcx.de>	2014-01-28 17:02:25 +0100
commit	b15cd32d2f75fbf943eda38a7b90f05d2806dae5 (patch)
tree	1fe038b5755289cc2b1b4f3d85686961d64ddb23 /lib/plugins
parent	48ccdc135140fd87d4dde1552692c507f3b5301f (diff)
download	rpg-b15cd32d2f75fbf943eda38a7b90f05d2806dae5.tar.gz rpg-b15cd32d2f75fbf943eda38a7b90f05d2806dae5.tar.bz2