From 218ccf51e38ad9b0654aa509f2bf8eec44d69c07 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Fri, 8 Aug 2014 11:47:06 +0200
Subject: Add permission checks to the request feature

* Only show the request form to users that are logged in.
* Only show the close request form to Trusted Users and developers.
* Check for a valid login in pkgreq_file().

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/pkgreqfuncs.inc.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'web/lib/pkgreqfuncs.inc.php')

diff --git a/web/lib/pkgreqfuncs.inc.php b/web/lib/pkgreqfuncs.inc.php
index 98fb0cb..9207043 100644
--- a/web/lib/pkgreqfuncs.inc.php
+++ b/web/lib/pkgreqfuncs.inc.php
@@ -91,6 +91,10 @@ function pkgreq_file($ids, $type, $merge_into, $comments) {
 	global $AUR_REQUEST_ML;
 	global $AUTO_ORPHAN_AGE;
 
+	if (!has_credential(CRED_PKGREQ_FILE)) {
+		return array(false, __("You must be logged in to file package requests."));
+	}
+
 	if (!empty($merge_into) && !preg_match("/^[a-z0-9][a-z0-9\.+_-]*$/D", $merge_into)) {
 		return array(false, __("Invalid name: only lowercase letters are allowed."));
 	}
-- 
cgit v1.2.3-70-g09d2