[ic] Re: Security hole in IC admin

Jon Jensen jon@akopia.com
Mon, 16 Apr 2001 19:01:07 -0500 (CDT) 

Another change. Because why should the patch for page_save be correct?
Like the first do_view patch, it repelled would-be vandals, but failed to
properly display the error message. Here's the correct version.

Jon


Index: page_save.html
===================================================================
RCS file: /anon_cvs/repository/interchange/dist/lib/UI/pages/admin/page_save.html,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- page_save.html      2000/12/07 22:53:23     1.6
+++ page_save.html      2001/04/14 22:28:29     1.7
@@ -1,3 +1,11 @@
+[if !session admin]
+[or !session logged_in]
+[then]
+       [set ui_error]Must be logged in as admin.[/set]
+       [bounce page="__UI_BASE__/error"]
+[/then]
+[/if]
+
 [perl]
        my @filters = grep /^ui_filter:/, keys %$CGI;
        foreach my $key (@filters) {


<end>