From 3aaa72f12c6b23df157ba26b29b466f891ab52d7 Mon Sep 17 00:00:00 2001
From: Scott Walters <scott@slowass.net>
Date: Tue, 24 Sep 2013 12:27:50 -0500
Subject: [PATCH] don't let non-priviledged users turn on the admin; additional
 logic to kick them out of admin when they're no longer logged in would be
 nice too.

---
 lib/WebGUI/Content/Admin.pm   | 2 ++
 lib/WebGUI/Operation/Admin.pm | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/WebGUI/Content/Admin.pm b/lib/WebGUI/Content/Admin.pm
index 92ed3f16b..29ea7b1d7 100644
--- a/lib/WebGUI/Content/Admin.pm
+++ b/lib/WebGUI/Content/Admin.pm
@@ -47,6 +47,8 @@ Handle every op=admin request
 sub handler {
     my ($session) = @_;
 
+    return "" unless ($session->user->canUseAdminMode);
+
     if ( $session->form->get("op") eq "admin" ) {
         if ( $session->form->get("plugin") ) {
             my $id      = $session->form->get('id');
diff --git a/lib/WebGUI/Operation/Admin.pm b/lib/WebGUI/Operation/Admin.pm
index 56240921e..7766db6e0 100644
--- a/lib/WebGUI/Operation/Admin.pm
+++ b/lib/WebGUI/Operation/Admin.pm
@@ -19,7 +19,9 @@ Package WebGUI::Operation::Admin
 
 =head1 DESCRIPTION
 
-Operation handler for admin functions
+Operation handler for admin functions.
+
+See also L<WebGUI::Content::Admin>, which handles C<op=admin> requests.
 
 =cut