Close wide-open hacking hole! This script wasn't checking for admin

user in the case where the site has been defined already.  Oops. Fixed now.

diff --git a/admin/site.php b/admin/site.php
index 39104d9a6c9e41e57cb87035eedd4b4fa5a9105f..e3ea6dd13e9c7c34d92525e5b6246659c96d3e0e 100644 (file)
--- a/admin/site.php
+++ b/admin/site.php
@@ -2,7 +2,11 @@
 
        require("../config.php");
 
-    $course = get_site();
+    if ($course = get_site()) {
+        if (!isadmin()) {
+            error("You need to be admin to edit this page");
+        }
+    }
     $course->format = "social";   // override
 
 /// If data submitted, then process and store.