Fixes #1830. Removed access and write access inputs for non-owners and non-admins.

author: Brett Profitt <brett.profitt@gmail.com> 2012-05-01 18:24:13 -0700
committer: Brett Profitt <brett.profitt@gmail.com> 2012-05-01 18:24:13 -0700
commit: 7303e0b19adae0a3fa5db139e3fafb310dd43485 (patch)
tree: 8923bfae644c54a5c93a7df8114b27dc035d8e72 /mod/pages/actions/pages/edit.php
parent: c0c5c0f81f40b5d72048e74842a650f974cefcd7 (diff)
download: elgg-7303e0b19adae0a3fa5db139e3fafb310dd43485.tar.gz
elgg-7303e0b19adae0a3fa5db139e3fafb310dd43485.tar.bz2
1 files changed, 13 insertions, 1 deletions
diff --git a/mod/pages/actions/pages/edit.php b/mod/pages/actions/pages/edit.php
index 6950d4b2f..a32e4a4ba 100644
--- a/mod/pages/actions/pages/edit.php
+++ b/mod/pages/actions/pages/edit.php
@@ -47,7 +47,19 @@ if ($page_guid) {
 }
 
 if (sizeof($input) > 0) {
+	// don't change access if not an owner/admin
+	$user = elgg_get_logged_in_user_entity();
+	$can_change_access = true;
+
+	if ($user && $page) {
+		$can_change_access = $user->isAdmin() || $user->getGUID() == $page->owner_guid;
+	}
+	
 	foreach ($input as $name => $value) {
+		if (($name == 'access_id' || $name == 'write_access_id') && !$can_change_access) {
+			continue;
+		}
+
 		$page->$name = $value;
 	}
 }
@@ -74,6 +86,6 @@ if ($page->save()) {
 
 	forward($page->getURL());
 } else {
-	register_error(elgg_echo('pages:error:no_save'));
+	register_error(elgg_echo('pages:error:notsaved'));
 	forward(REFERER);
 }
author	Brett Profitt <brett.profitt@gmail.com>	2012-05-01 18:24:13 -0700
committer	Brett Profitt <brett.profitt@gmail.com>	2012-05-01 18:24:13 -0700
commit	7303e0b19adae0a3fa5db139e3fafb310dd43485 (patch)
tree	8923bfae644c54a5c93a7df8114b27dc035d8e72 /mod/pages/actions/pages/edit.php
parent	c0c5c0f81f40b5d72048e74842a650f974cefcd7 (diff)
download	elgg-7303e0b19adae0a3fa5db139e3fafb310dd43485.tar.gz elgg-7303e0b19adae0a3fa5db139e3fafb310dd43485.tar.bz2