From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Fri, 8 Aug 2014 11:47:06 +0200
Subject: Add permission checks to the request feature

* Only show the request form to users that are logged in.
* Only show the close request form to Trusted Users and developers.
* Check for a valid login in pkgreq_file().

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/html/pkgreq.php | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'web/html')

diff --git a/web/html/pkgreq.php b/web/html/pkgreq.php
index 03b31b8..ccb0acd 100644
--- a/web/html/pkgreq.php
+++ b/web/html/pkgreq.php
@@ -9,9 +9,17 @@ set_lang();
 check_sid();
 
 if (isset($base_id)) {
+	if (!has_credential(CRED_PKGREQ_FILE)) {
+		header('Location: /');
+		exit();
+	}
 	html_header(__("File Request"));
 	include('pkgreq_form.php');
 } elseif (isset($pkgreq_id)) {
+	if (!has_credential(CRED_PKGREQ_CLOSE)) {
+		header('Location: /');
+		exit();
+	}
 	html_header(__("Close Request"));
 	$pkgbase_name = pkgreq_get_pkgbase_name($pkgreq_id);
 	include('pkgreq_close_form.php');
-- 
cgit v1.2.3-54-g00ecf