Item11325: Issues with cmd= on edit

git-svn-id: http://svn.foswiki.org/trunk@13291 0b4bb1d4-4e5a-0410-9cc4-b2b747904278
foswiki · Dec 3, 2011 · 8af27c0 · 8af27c0
1 parent 91ffef6
commit 8af27c0
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/core/lib/Foswiki/UI/Edit.pm b/core/lib/Foswiki/UI/Edit.pm
@@ -344,6 +344,26 @@ sub init_edit {
 
     if ($adminCmd) {
 
+        unless ($users->isAdmin($user)) {
+            throw Foswiki::OopsException(
+                'accessdenied',
+                def    => 'topic_access',
+                web    => $web,
+                topic  => $topic,
+                params => [ "'cmd=$adminCmd'", 'Administrators only' ]
+            );
+        }
+
+        unless ($adminCmd =~ m/^(rep|del)Rev$/ ) {
+            throw Foswiki::OopsException(
+                'attention',
+                def   => 'unrecognized_action',
+                web   => $web,
+                topic => $topic,
+                params => [ "'cmd=$adminCmd'" ]
+            );
+           }
+
         # An admin cmd is a command such as 'repRev' or 'delRev'.
         # These commands can used by admins to silently remove
         # revisions from topics histories from some stores. repRev