Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG	(revision 1405)
+++ branches/2.8.x/CHANGELOG	(revision 1406)
@@ -11,6 +11,8 @@
 ! = Update/Change
 
 ------------------------------------- 2.8.2 -------------------------------------
+22 Jan-2011 Build 1406 Frank Heyne (FrankH)
+# Security fix to stop users from changing module contents without permission, thanks to Michael Schwarz 
 22 Jan-2011 Build 1405 Frank Heyne (FrankH)
 # Security fix (XSS) in form module, thanks to Michael Schwarz 
 22 Jan-2011 Build 1404 Dietmar Woellbrink (Luisehahne)
Index: branches/2.8.x/wb/admin/pages/add.php
===================================================================
--- branches/2.8.x/wb/admin/pages/add.php	(revision 1405)
+++ branches/2.8.x/wb/admin/pages/add.php	(revision 1406)
@@ -49,6 +49,7 @@
 $admin_groups[] = 1;
 $viewing_groups[] = 1;
 
+// check parent page permissions:
 if ($parent!=0) {
 	if (!$admin->get_page_permission($parent,'admin'))
     {
@@ -60,6 +61,12 @@
 	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
 }	
 
+// check module permissions:
+if (!$admin->get_permission($module, 'module'))
+{
+	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
+}	
+
 // Validate data
 if($title == '' || substr($title,0,1)=='.')
 {
@@ -75,7 +82,7 @@
 		if (in_array($adm_group, $admin->get_groups_id()))
         {
 			$admin_perm_ok = true;
-		}
+		} 
 	}
 	if ($admin_perm_ok == false)
     {
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php	(revision 1405)
+++ branches/2.8.x/wb/admin/interface/version.php	(revision 1406)
@@ -52,6 +52,6 @@
 
 // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
 if(!defined('VERSION')) define('VERSION', '2.8.2.RC5');
-if(!defined('REVISION')) define('REVISION', '1405');
+if(!defined('REVISION')) define('REVISION', '1406');
 
 ?>
Index: branches/2.8.x/wb/modules/admin.php
===================================================================
--- branches/2.8.x/wb/modules/admin.php	(revision 1405)
+++ branches/2.8.x/wb/modules/admin.php	(revision 1406)
@@ -70,6 +70,28 @@
 	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
 }
 
+// some additional security checks:
+// Check whether the section_id belongs to the page_id at all
+if ($section_id != 0) {
+	$sql  = "SELECT module FROM `".TABLE_PREFIX."sections` WHERE `page_id` = '$page_id' AND `section_id` = '$section_id'";
+	$res_sec = $database->query($sql);
+	if ($database->is_error())
+	{
+		$admin->print_error($database->get_error());
+	}
+	if ($res_sec->numRows() == 0)
+	{
+		$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']);
+	}
+
+	// check module permissions:
+	$sec = $res_sec->fetchRow();
+	if (!$admin->get_permission($sec['module'], 'module'))
+	{
+		$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);
+	}	
+}
+
 // Workout if the developer wants to show the info banner
 if(isset($print_info_banner) && $print_info_banner == true) {