Close wide-open hacking hole! This script wasn't checking for admin

user in the case where the site has been defined already.  Oops. Fixed now.

admin/site.php

@@ -2,7 +2,11 @@
 
 	require("../config.php");
 
-    $course = get_site();
+    if ($course = get_site()) {
+        if (!isadmin()) {
+            error("You need to be admin to edit this page");
+        }
+    }
     $course->format = "social";   // override
 
 /// If data submitted, then process and store.