From da5f0eee25838368de375eb14d345b70ae3cbc7a Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 6 Jan 2014 21:25:59 +0100
Subject: check for admin in AJAX backend

---
 lib/plugins/extension/action.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'lib/plugins')

diff --git a/lib/plugins/extension/action.php b/lib/plugins/extension/action.php
index 0d6e7d996..9dd1648ff 100644
--- a/lib/plugins/extension/action.php
+++ b/lib/plugins/extension/action.php
@@ -29,7 +29,15 @@ class action_plugin_extension extends DokuWiki_Action_Plugin {
      * @param            $param
      */
     public function info(Doku_Event &$event, $param){
+        global $USERINFO;
         global $INPUT;
+
+        if(empty($_SERVER['REMOTE_USER']) || !auth_isadmin($_SERVER['REMOTE_USER'], $USERINFO['grps'])){
+            http_status(403);
+            echo 'Forbidden';
+            exit;
+        }
+
         if($event->data != 'plugin_extension') return;
         $event->preventDefault();
         $event->stopPropagation();
-- 
cgit v1.2.3