From: Simon McVittie <smcv@debian.org>
Date: Sat, 1 Mar 2014 17:25:39 +0000 (+0000)
Subject: comments: use comments_pagespec for authorization, not just UI
X-Git-Tag: 3.20140916~49^2
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/ef7c80258daa2f3cf87fa4adea58f804a646fd77

comments: use comments_pagespec for authorization, not just UI
---

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index a0ca9f32e..98ae13810 100644
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -438,6 +438,16 @@ sub editcomment ($$) {
 			$page));
 	}
 
+	# There's no UI to get here, but someone might construct the URL,
+	# leading to a comment that exists in the repository but isn't
+	# shown
+	if (!pagespec_match($page, $config{comments_pagespec},
+		location => $page)) {
+		error(sprintf(gettext(
+			"comments on page '%s' are not allowed"),
+			$page));
+	}
+
 	if (pagespec_match($page, $config{comments_closed_pagespec},
 		location => $page)) {
 		error(sprintf(gettext(