1 files changed, 39 insertions, 22 deletions

diff --git a/modules-available/news/page.inc.php b/modules-available/news/page.inc.php
index ee377dc4..5ad79b0e 100644
--- a/modules-available/news/page.inc.php
+++ b/modules-available/news/page.inc.php
@@ -31,12 +31,10 @@ class Page_News extends Page
 
         // load user, we will need it later
         User::load();
-
-        // only admins should be able to edit news
-        if (!User::hasPermission('superadmin')) {
-            Message::addError('main.no-permission');
-            Util::redirect('?do=Main');
-        }
+        if (!User::isLoggedIn()) {
+        		Message::addError('main.no-permission');
+        		Util::redirect('?do=Main');
+		  }
 
         // check which action we need to do
         $action = Request::any('action', 'show');
@@ -66,26 +64,41 @@ class Page_News extends Page
             $pageType = Request::post('news-type');
 
             if ($pageType == 'news') {
-                if (!$this->saveNews()) {
-                    // re-set the fields we got
-                    Request::post('news-title') ? $this->newsTitle = Request::post('news-title') : $this->newsTitle = false;
-                    Request::post('news-content') ? $this->newsContent = Request::post('news-content') : $this->newsContent = false;
-                } else {
-                    Message::addSuccess('news-save-success');
-                    $lastId = Database::lastInsertId();
-                    Util::redirect("?do=News&newsid=$lastId");
-                }
+            	if (User::hasPermission("news.save")) {
+						if (!$this->saveNews()) {
+							// re-set the fields we got
+							Request::post('news-title') ? $this->newsTitle = Request::post('news-title') : $this->newsTitle = false;
+							Request::post('news-content') ? $this->newsContent = Request::post('news-content') : $this->newsContent = false;
+						} else {
+							Message::addSuccess('news-save-success');
+							$lastId = Database::lastInsertId();
+							Util::redirect("?do=News&newsid=$lastId");
+						}
+					}
             } elseif ($pageType == 'help') {
-                if ($this->saveHelp()) {
-                    Message::addSuccess('help-save-success');
-                    $lastId = Database::lastInsertId();
-                    Util::redirect("?do=News&newsid=$lastId");
-                }
+            	if (User::hasPermission("help.save")) {
+						if ($this->saveHelp()) {
+							Message::addSuccess('help-save-success');
+							$lastId = Database::lastInsertId();
+							Util::redirect("?do=News&newsid=$lastId");
+						}
+					}
             }
         } elseif ($action === 'delete') {
             // delete it
-            $this->delNews(Request::post('newsid'));
-            Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+			  $pageType = Request::post('news-type');
+
+			  if ($pageType == 'news') {
+			  		if(User::hasPermission("news.delete")) {
+						$this->delNews(Request::post('newsid'));
+						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+					}
+			  } elseif ($pageType == 'help') {
+			  		if(User::hasPermission("help.delete")) {
+						$this->delNews(Request::post('newsid'));
+						Util::redirect('?do=News&editHelp='.Request::any('editHelp'));
+					}
+			  }
         } else {
             // unknown action, redirect user
             Message::addError('invalid-action', $action);
@@ -134,6 +147,10 @@ class Page_News extends Page
                 'editHelp' => $this->editHelp,
                 'list' => $lines,
                 'listHelp' => $linesHelp,
+			  		 'allowedNewsSave' => User::hasPermission("news.save"),
+			  		 'allowedNewsDelete' => User::hasPermission("news.delete"),
+			  		 'allowedHelpSave' => User::hasPermission("help.save"),
+			  		 'allowedHelpDelete' => User::hasPermission("help.delete"),
                 'hasSummernote' => $this->hasSummernote, ));
     }
     /**