--- docman.php	2002/07/29 12:34:18	1.29
+++ docman.php	2002/07/29 12:53:50	1.30
@@ -1008,6 +1008,9 @@
 	$file=basename($target);
 
 	$note=fopen("$dir/.note/$file","w");
+	if (! $note) {
+		Error("Error writing note","Can't open note file <tt>$dir/.note/$file</tt> for writing",1);
+	}
 	fputs($note,"$msg\n");
 	fclose($note);
 
@@ -1925,9 +1928,13 @@
 		safe_rename($fsDir,$FN,$NEWNAME);
 		break ;
 
-	case "NOTE" :  
-		$NOTE=stripSlashes($HTTP_POST_VARS["NOTE"]);
-		WriteNote("$fsDir/$FN","$NOTE");
+	case "NOTE" :
+		if (! HTTP_POST_VAR("NOTE"))
+			Error("Can't add note to object","Can't find var <tt>\$NOTE</tt>",1);
+		if (! check_perm("$relDir/$FN", trperm_w))
+			Error("Access denied","User <tt>$gblLogin</tt> tried to add note to <tt>$relDir/$FN</tt> without valid trustee.",1);
+
+		WriteNote("$fsDir/$FN",$NOTE);
 		break ;
 
 	case "UNLOCK" :  
@@ -1945,7 +1952,7 @@
 		header("Location: ".$tstr) ;   
 		exit ;
  	}
-	
+
 	// check for mode.. navigate, code display, upload, or detail?
 	// $A=U : upload to path given in $D
 	// $A=E : display detail of file $D/$F and edit