From 45dbd31d286838254cd1ae60e4ebb39c112526be Mon Sep 17 00:00:00 2001
From: zotlabs <mike@macgirvin.com>
Date: Wed, 25 Jan 2017 12:21:52 -0800
Subject: only allow wiki owner to delete pages

---
 Zotlabs/Module/Wiki.php | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Zotlabs/Module/Wiki.php')

diff --git a/Zotlabs/Module/Wiki.php b/Zotlabs/Module/Wiki.php
index d694a28ae..75a620c37 100644
--- a/Zotlabs/Module/Wiki.php
+++ b/Zotlabs/Module/Wiki.php
@@ -538,6 +538,12 @@ class Wiki extends \Zotlabs\Web\Controller {
 				json_return_and_die(array('message' => t('Cannot delete Home'),'success' => false));
 			}
 			// Determine if observer has permission to delete pages
+			// currently just allow page owner
+
+			if((! local_channel()) || (local_channel() != $owner['channel_id'])) {
+				logger('Wiki write permission denied. ' . EOL);
+				json_return_and_die(array('success' => false));					
+			}
 
 			$perms = Zlib\NativeWiki::get_permissions($resource_id, intval($owner['channel_id']), $observer_hash);
 			if(! $perms['write']) {
-- 
cgit v1.2.3