From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 10 Oct 2007 21:18:10 +0000 (+0000)
Subject: Fixed: a user not authorized to edit wiki pages gets the edit form if the page doesn... 
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=3844e4bca84510b1614eaf90da565ce105881997;p=redminele%2Fredmine.git

Fixed: a user not authorized to edit wiki pages gets the edit form if the page doesn't exist. He now gets a 404.

git-svn-id: http://redmine.rubyforge.org/svn/trunk@823 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb
index fe53e63f..7609323f 100644
--- a/app/controllers/wiki_controller.rb
+++ b/app/controllers/wiki_controller.rb
@@ -31,8 +31,13 @@ class WikiController < ApplicationController
     page_title = params[:page]
     @page = @wiki.find_or_new_page(page_title)
     if @page.new_record?
-      edit
-      render :action => 'edit' and return
+      if User.current.allowed_to?(:edit_wiki_pages, @project)
+        edit
+        render :action => 'edit'
+      else
+        render_404
+      end
+      return
     end
     @content = @page.content_for_version(params[:version])
     if params[:export] == 'html'