From 64c0b377261aaa5276e636e2496edfffbe15964d Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Fri, 4 Mar 2016 16:02:03 +0100
Subject: [PATCH] add access check

---
 out/out.Categories.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/out/out.Categories.php b/out/out.Categories.php
index f913b0f3c..049e12163 100644
--- a/out/out.Categories.php
+++ b/out/out.Categories.php
@@ -26,7 +26,10 @@ include("../inc/inc.DBInit.php");
 include("../inc/inc.ClassUI.php");
 include("../inc/inc.Authentication.php");
 
-if (!$user->isAdmin()) {
+$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
+$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
+$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
+if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) {
 	UI::exitError(getMLText("admin_tools"),getMLText("access_denied"));
 }
 
@@ -38,10 +41,8 @@ if(isset($_GET['categoryid']) && $_GET['categoryid']) {
 	$selcat = null;
 }
 
-$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
-$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'categories'=>$categories, 'selcategory'=>$selcat));
 if($view) {
+	$view->setParam('categories', $categories);
+	$view->setParam('selcategory', $selcat);
 	$view($_GET);
 }
-
-?>