external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Do not allow unauthenticated users to delete comments

Browse source 
Since commit fb7bde3 (Add support for anonymous comments, 2014-02-04),
we support comments with no specific author. Add a check to
canDeleteComment() and canDeleteCommentArray() to ensure an
unauthenticated user cannot delete such comments.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
This commit is contained in:
Lukas Fleischer 2014-02-06 09:04:10 +01:00
parent fb7bde3a6c
commit b8a31dcc72
1 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
web/lib/pkgfuncs.inc.php
View file

@ -14,6 +14,10 @@ include_once("config.inc.php");
* @return bool True if the user can delete the comment, otherwise false
*/
function canDeleteComment($comment_id=0, $atype="", $uid=0) {
if (!$uid) {
/* Unauthenticated users cannot delete anything. */
return false;
}
if ($atype == "Trusted User" || $atype == "Developer") {
# A TU/Dev can delete any comment
return TRUE;
@ -46,7 +50,10 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0) {
* @return bool True if the user can delete the comment, otherwise false
*/
function canDeleteCommentArray($comment, $atype="", $uid=0) {
if ($atype == "Trusted User" || $atype == "Developer") {
if (!$uid) {
/* Unauthenticated users cannot delete anything. */
return false;
} elseif ($atype == "Trusted User" || $atype == "Developer") {
# A TU/Dev can delete any comment
return TRUE;
} else if ($comment['UsersID'] == $uid) {