From 414e60380fe33c7f25c0afa3288d7b3569b51d5c Mon Sep 17 00:00:00 2001
From: Colin Kuskie <colink@perldreamer.com>
Date: Mon, 17 May 2010 08:27:01 -0700
Subject: [PATCH] Do not allow any backdoors for Visitor to get into his
 account.  Fixes bug #11572.

---
 docs/changelog/7.x.x.txt        | 1 +
 lib/WebGUI/Operation/Profile.pm | 1 +
 2 files changed, 2 insertions(+)

diff --git a/docs/changelog/7.x.x.txt b/docs/changelog/7.x.x.txt
index 20d83971c..7e00e7963 100644
--- a/docs/changelog/7.x.x.txt
+++ b/docs/changelog/7.x.x.txt
@@ -17,6 +17,7 @@
  - fixed #11567: EMS: Build badge page, ticket tab, pagination
  - added: a new inbox setting which supresses friend rejection notices
  - fixed #11552: Visitors (and others) can bypass group-by-IP restrictions
+ - fixed #11572: visitors can enter editProfile
 
 7.9.4
  - We're shipping underscore.js now for its suite of extremely handy utility
diff --git a/lib/WebGUI/Operation/Profile.pm b/lib/WebGUI/Operation/Profile.pm
index 100154ded..5b1d808b4 100644
--- a/lib/WebGUI/Operation/Profile.pm
+++ b/lib/WebGUI/Operation/Profile.pm
@@ -185,6 +185,7 @@ A reference to the current session.
 
 sub www_editProfile {
 	my $session  = shift;
+    return $session->privilege->insufficient if $session->user->isVisitor;
     my $instance = WebGUI::Content::Account->createInstance($session,"profile");
     return $instance->displayContent($instance->callMethod("edit"));
 }