comments: use comments_pagespec for authorization, not just UI

[ikiwiki.git] / IkiWiki / Plugin / comments.pm

diff --git a/IkiWiki/Plugin/comments.pm b/IkiWiki/Plugin/comments.pm
index a0ca9f32e484090969fbfa605875268cd112e9d8..98ae13810200269a34fbfb8b24093e26dc5ad4bb 100644 (file)
--- a/IkiWiki/Plugin/comments.pm
+++ b/IkiWiki/Plugin/comments.pm
@@ -438,6 +438,16 @@ sub editcomment ($$) {
                        $page));
        }
 
+       # There's no UI to get here, but someone might construct the URL,
+       # leading to a comment that exists in the repository but isn't
+       # shown
+       if (!pagespec_match($page, $config{comments_pagespec},
+               location => $page)) {
+               error(sprintf(gettext(
+                       "comments on page '%s' are not allowed"),
+                       $page));
+       }
+
        if (pagespec_match($page, $config{comments_closed_pagespec},
                location => $page)) {
                error(sprintf(gettext(