Make widget privilege matching more specific. Fixes #9512

(cherry picked from commit bc319bc01a4d709b39e4c93c7223d277ee666bff)

1 files changed, 2 insertions, 2 deletions

diff --git a/src/etc/inc/priv/user.priv.inc b/src/etc/inc/priv/user.priv.inc
index 2a09868..02d1c0e 100644
--- a/src/etc/inc/priv/user.priv.inc
+++ b/src/etc/inc/priv/user.priv.inc
@@ -21,7 +21,7 @@ $priv_list['page-dashboard-all']['name'] = gettext("WebCfg - Dashboard (all)");
 $priv_list['page-dashboard-all']['descr'] = gettext("Allow access to all pages required for the dashboard.");
 $priv_list['page-dashboard-all']['match'] = array();
 $priv_list['page-dashboard-all']['match'][] = "index.php*";
-$priv_list['page-dashboard-all']['match'][] = "*.widget.php*";
+$priv_list['page-dashboard-all']['match'][] = "widgets/widgets/*.widget.php*";
 $priv_list['page-dashboard-all']['match'][] = "graph.php*";
 $priv_list['page-dashboard-all']['match'][] = "graph_cpu.php*";
 $priv_list['page-dashboard-all']['match'][] = "getstats.php*";
@@ -32,7 +32,7 @@ $priv_list['page-dashboard-widgets'] = array();
 $priv_list['page-dashboard-widgets']['name'] = gettext("WebCfg - Dashboard widgets (direct access).");
 $priv_list['page-dashboard-widgets']['descr'] = gettext("Allow direct access to all Dashboard widget pages, required for some widgets using AJAX.");
 $priv_list['page-dashboard-widgets']['match'] = array();
-$priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*";
+$priv_list['page-dashboard-widgets']['match'][] = "widgets/widgets/*.widget.php*";
 
 $priv_list['user-config-readonly'] = array();
 $priv_list['user-config-readonly']['name']  = gettext("User - Config: Deny Config Write");