Users that can't "comment without approval" can bypass it by editing their comments after initial approval

Created on 15 March 2007, over 17 years ago
Updated 19 June 2023, 12 months ago

This is another method to handle the same problem: http://drupal.org/node/79693
This bug its, at this moment, in Drupal 4.7 and 5.1. But I'm patching for 4.7.
__________________________

In this case, I don't add any feature. Only correcting the bug itself.

The bug is, that, if a user that is not allowed to post a comment without approval, in some cases, HE CAN edit their comments without ANY approval by the admin.

Adding a "edit approval queue" is a feature itself (and very interesting) will be the better solution for this problem, but I believe that this feature must be in future versions of drupal.

_________________________________

My code don't allow users to edit their posts, if they doesn't have the "post comments without approval". Because if they can't post comments without approval, then, they aren't allowed to edit their posts without approval too.

This patch applies only to the comment.module, and only to the "comment_access" function.

<!--break-->

Here is the original function at Drupal 4.7.6 comment.module:

function comment_access($op, $comment) {
   global $user;

   if ($op == 'edit') {
     return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
   }
 }

And the modified version:


function comment_access($op, $comment) {
   global $user;

   if ($op == 'edit') {
     return ($user->uid && $user->uid == $comment->uid && user_access('post comments without approval') && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
   }
 }

Note that, I've only added a "&& user_access('post comments without approval') " to the return line. This is the unique modification needed to correct this bug.

_________

PD: The code is untested yet. If someone test it under Drupal 4.7.6, reply to this issue.

✨ Feature request
Status

Postponed: needs info

Version

9.5

Component
CommentΒ  β†’

Last updated 3 days ago

Created by

πŸ‡ͺπŸ‡ΈSpain deavidsedice

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024