don't let non-priviledged users turn on the admin; additional logic to kick them out of admin when they're no longer logged in would be nice too.

lib/WebGUI/Content/Admin.pm

@@ -47,6 +47,8 @@ Handle every op=admin request
 sub handler {
     my ($session) = @_;
 
+    return "" unless ($session->user->canUseAdminMode);
+
     if ( $session->form->get("op") eq "admin" ) {
         if ( $session->form->get("plugin") ) {
             my $id      = $session->form->get('id');

lib/WebGUI/Operation/Admin.pm

@@ -19,7 +19,9 @@ Package WebGUI::Operation::Admin
 
 =head1 DESCRIPTION
 
-Operation handler for admin functions
+Operation handler for admin functions.
+
+See also L<WebGUI::Content::Admin>, which handles C<op=admin> requests.
 
 =cut