mass-remove part added on 1.6 by drieschner included tiki-pagesetup.php...
mass-remove part added on 1.6 by drieschner included tiki-pagesetup.php apparently assuming this took care of custom permissions. I'm removing this line since it doesn't help currently. This still leaves a rather minor threat for case of $feature_listPages = 'y' for people with tiki_p_remove when some pages have individual rights, most importantly taking into account the unsecured listing. This permission comes by default with Editors group. Admins who don't fully trust their editors should probably turn off $feature_listPages != 'y'. A fix shouldn't be hard to code :)
Showing with 1 addition and 2 deletions