From 29c8d2ebecebb35d2c43104124fd2b9767fa1ec0 Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Mon, 21 Oct 2013 15:33:42 +1100
Subject: [PATCH] oops add security

---
 .../discourse/templates/list/wide_categories.js.handlebars      | 2 ++
 app/controllers/categories_controller.rb                        | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/app/assets/javascripts/discourse/templates/list/wide_categories.js.handlebars b/app/assets/javascripts/discourse/templates/list/wide_categories.js.handlebars
index 8dea442a780..f1e499e2f76 100644
--- a/app/assets/javascripts/discourse/templates/list/wide_categories.js.handlebars
+++ b/app/assets/javascripts/discourse/templates/list/wide_categories.js.handlebars
@@ -7,7 +7,9 @@
       <th class='num topics'>{{i18n categories.topics}}</th>
       <th class='num posts'>{{i18n categories.posts}}</th>
       <th class='latest'>{{i18n categories.latest}}
+        {{#if canEdit}}
         <button title='{{i18n categories.toggle_ordering}}' class='btn toggle-admin no-text' {{action toggleOrdering}}><i class='icon icon-wrench'></i></button>
+        {{/if}}
       </th>
     </tr>
     </thead>
diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb
index e33aeb43c89..16bd5bd9a19 100644
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@@ -29,6 +29,8 @@ class CategoriesController < ApplicationController
   end
 
   def move
+    guardian.ensure_can_create!(Category)
+
     params.require("category_id")
     params.require("position")