From ef7c80258daa2f3cf87fa4adea58f804a646fd77 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Sat, 1 Mar 2014 17:25:39 +0000 Subject: comments: use comments_pagespec for authorization, not just UI --- IkiWiki/Plugin/comments.pm | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'IkiWiki') diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm index a0ca9f32e..98ae13810 100644 --- a/IkiWiki/Plugin/comments.pm +++ b/IkiWiki/Plugin/comments.pm @@ -438,6 +438,16 @@ sub editcomment ($$) { $page)); } + # There's no UI to get here, but someone might construct the URL, + # leading to a comment that exists in the repository but isn't + # shown + if (!pagespec_match($page, $config{comments_pagespec}, + location => $page)) { + error(sprintf(gettext( + "comments on page '%s' are not allowed"), + $page)); + } + if (pagespec_match($page, $config{comments_closed_pagespec}, location => $page)) { error(sprintf(gettext( -- cgit v1.2.3