From 01bb50fdec555cc0701912b4793ee3ae2d97d3db Mon Sep 17 00:00:00 2001
From: Harry Bomrah <harry@rulingcom.com>
Date: Thu, 31 Jul 2014 17:47:11 +0800
Subject: [PATCH] added security fix for edit page

---
 app/controllers/admin/galleries_controller.rb | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/controllers/admin/galleries_controller.rb b/app/controllers/admin/galleries_controller.rb
index 15548e4..9865101 100644
--- a/app/controllers/admin/galleries_controller.rb
+++ b/app/controllers/admin/galleries_controller.rb
@@ -41,9 +41,12 @@ class Admin::GalleriesController < OrbitAdminController
 
   def edit
       @album = Album.find(params[:id])
-      @tags = @module_app.tags
-    @categories = @module_app.categories
-
+      if can_edit_or_delete?(@album)
+        @tags = @module_app.tags
+        @categories = @module_app.categories
+      else
+        render_401
+      end
   end
 
   def set_cover