From bf733fca8e2b2c3ecaf713305d1d53878c14fdfd Mon Sep 17 00:00:00 2001
From: Florian Schlichting <fsfs@debian.org>
Date: Thu, 31 Dec 2015 18:50:55 +0100
Subject: [PATCH] let admin.php without parameters redirect to index.php, and
 document restrict_setup_to_admin setting (fixes #55)

---
 config/example-config.php | 7 +++++++
 htdocs/admin.php          | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/config/example-config.php b/config/example-config.php
index 769b6aa1..4bc07b9b 100644
--- a/config/example-config.php
+++ b/config/example-config.php
@@ -64,6 +64,13 @@ $c->pg_connect[] = "dbname=davical user=davical_app";
 */
 $c->admin_email ='calendar-admin@example.com';
 
+/**
+* Set this to 'true' in order to restrict the /setup.php page (which contains
+* the entire phpinfo() output) to 'Administrator' users.
+* Default: false
+*/
+// $c->restrict_setup_to_admin = true;
+
 /**
 * The "enable_row_linking" option controls whether javascript is used
 * to make the entire row clickable in browse lists in the administration
diff --git a/htdocs/admin.php b/htdocs/admin.php
index 7fe272c3..b48b8558 100644
--- a/htdocs/admin.php
+++ b/htdocs/admin.php
@@ -10,6 +10,10 @@ require_once('AwlQuery.php');
 param_to_global('action', '{(edit|browse)}', 'action');
 param_to_global('component', '{[a-z0-9-_]+}', 't');
 param_to_global('id', '{[a-z0-9-_]+}', 'id');
+if ( ! $action || ! $component ) {
+    header('Location: index.php');
+    @ob_flush(); exit(0);
+}
 
 $c->stylesheets[] = 'css/'.$action.'.css';
 if ( $c->enable_row_linking ) {