security: [feeds] Hide headers for non-site admin users

app/Controller/Component/ACLComponent.php

@@ -296,7 +296,10 @@ class ACLComponent extends Component
                         'perm_site_admin',
                     ]],
                     'toggleSelected' => array('perm_site_admin'),
-                    'view' => array('*'),
+                    'view' => ['OR' => [
+                        'host_org_user',
+                        'perm_site_admin',
+                    ]],
             ),
             'galaxies' => array(
                 'attachCluster' => array('perm_tagger'),

app/Controller/FeedsController.php

@@ -95,6 +95,11 @@ class FeedsController extends AppController
         } else {
             $data = $this->paginate();
         }
+        foreach ($data as $i => $entry) {
+            if (!$this->_isSiteAdmin()) {
+                unset($data[$i]['Feed']['headers']);
+            }
+        }
         $this->loadModel('Event');
         foreach ($data as $key => $value) {
             if ($value['Feed']['event_id'] != 0 && $value['Feed']['fixed_event']) {
@@ -130,6 +135,9 @@ class FeedsController extends AppController
             'recursive' => -1,
             'contain' => array('Tag')
         ));
+        if (!$this->_isSiteAdmin()) {
+            unset($feed['Feed']['headers']);
+        }
         $feed['Feed']['cached_elements'] = $this->Feed->getCachedElements($feed['Feed']['id']);
         $feed['Feed']['coverage_by_other_feeds'] = $this->Feed->getFeedCoverage($feed['Feed']['id'], 'feed', 'all') . '%';
         if ($this->_isRest()) {

app/View/Feeds/index.ctp

@@ -144,7 +144,8 @@
                 array(
                     'name' => __('Headers'),
                     'class' => 'shortish',
-                    'data_path' => 'Feed.headers'
+                    'data_path' => 'Feed.headers',
+                    'requirement' => $isSiteAdmin
                 ),
                 array(
                     'name' => __('Target'),