Index: openacs-4/packages/xowiki/tcl/xowiki-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/xowiki/tcl/xowiki-procs.tcl,v
diff -u -N -r1.314.2.2 -r1.314.2.3
--- openacs-4/packages/xowiki/tcl/xowiki-procs.tcl	20 Jan 2009 09:01:48 -0000	1.314.2.2
+++ openacs-4/packages/xowiki/tcl/xowiki-procs.tcl	2 Feb 2009 22:58:51 -0000	1.314.2.3
@@ -1057,7 +1057,30 @@
       }
       set adp [string map {  " "} $adp]
       set adp_fn [lindex $adp 0]
-      if {![string match "/*" $adp_fn]} {set adp_fn /packages/xowiki/www/$adp_fn}
+      #
+      # For security reasons, don't allow absolute paths to different
+      # packages.  All allowed includelets must be made available
+      # under xowiki/www (preferable xowiki/www/portlets/*). If the
+      # provided path contains a admin/* admin rights are required.
+      #
+      if {[string match "/*" $adp_fn]} {
+        return "No absolute paths are allowed, adp includes must be provided via xowiki/www/*! $ch2"
+      }
+      if {[string match "admin/*" $adp_fn]} {
+        set allowed [::xo::cc permission \
+                         -object_id [my package_id] -privilege admin \
+                         -party_id [::xo::cc user_id]]
+        if {!$allowed} {
+          return "page can only be included by an admin! $ch2"
+        }
+      }
+      set adp_fn /packages/xowiki/www/$adp_fn
+      #
+      # alternatively, we could allow url-based includes, and then using
+      # set node [site_node::get -url [ad_conn url]]
+      # permission::require_permission -object_id $node(object_id) -privilege read
+      # ... or admin/* based checks like in rp.
+
       set adp_args [lindex $adp 1]
       if {[llength $adp_args] % 2 == 1} {
         incr ::xowiki_inclusion_depth -1