From 91f0935109d0f1a8329ca2ad6228e988b1eafaf7 Mon Sep 17 00:00:00 2001
From: j2blake <jeb228@cornell.edu>
Date: Mon, 15 Apr 2013 12:23:14 -0400
Subject: [PATCH] Security fix for release 1.5.2

Secure the DeletePageController. It was accessible to anyone who knew the link.
---
 .../vitro/webapp/controller/edit/DeletePageController.java    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/DeletePageController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/DeletePageController.java
index 06ccd95d1..d66f93b2d 100644
--- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/DeletePageController.java
+++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/DeletePageController.java
@@ -23,6 +23,7 @@ import com.hp.hpl.jena.rdf.model.Statement;
 import com.hp.hpl.jena.rdf.model.StmtIterator;
 import com.hp.hpl.jena.shared.Lock;
 
+import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
 import edu.cornell.mannlib.vitro.webapp.dao.DisplayVocabulary;
@@ -38,6 +39,9 @@ public class DeletePageController extends VitroHttpServlet {
     @Override
     protected void doPost(HttpServletRequest rawRequest, HttpServletResponse resp)
             throws ServletException, IOException {
+    	if (!isAuthorizedToDisplayPage(rawRequest, resp, SimplePermission.MANAGE_MENUS.ACTION)) {
+    		return;
+    	}
     	removeStatements = ModelFactory.createDefaultModel();
     	VitroRequest vreq = new VitroRequest(rawRequest);
     	String pageUri = vreq.getParameter("pageURI");