Fixed: a user not authorized to edit wiki pages gets the edit form if the page doesn't exist. He now gets a 404.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@823 e93f8b46-1217-0410-a6f0-8f06a7374b81
2007-10-10 21:18:10 +00:00 · 2007-10-10 21:18:10 +00:00 · 3844e4bca8
parent 38f540a701
commit 3844e4bca8
1 changed files with 7 additions and 2 deletions
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@ -31,8 +31,13 @@ class WikiController < ApplicationController
    page_title = params[:page]
    @page = @wiki.find_or_new_page(page_title)
    if @page.new_record?
-      edit
-      render :action => 'edit' and return
+      if User.current.allowed_to?(:edit_wiki_pages, @project)
+        edit
+        render :action => 'edit'
+      else
+        render_404
+      end
+      return
    end
    @content = @page.content_for_version(params[:version])
    if params[:export] == 'html'