Users that can't "comment without approval" can bypass it by editing their comments after initial approval

Created on 15 March 2007, almost 18 years ago

Updated 19 June 2023, over 1 year ago

This is another method to handle the same problem: http://drupal.org/node/79693
This bug its, at this moment, in Drupal 4.7 and 5.1. But I'm patching for 4.7.
__________________________

In this case, I don't add any feature. Only correcting the bug itself.

The bug is, that, if a user that is not allowed to post a comment without approval, in some cases, HE CAN edit their comments without ANY approval by the admin.

Adding a "edit approval queue" is a feature itself (and very interesting) will be the better solution for this problem, but I believe that this feature must be in future versions of drupal.

_________________________________

My code don't allow users to edit their posts, if they doesn't have the "post comments without approval". Because if they can't post comments without approval, then, they aren't allowed to edit their posts without approval too.

This patch applies only to the comment.module, and only to the "comment_access" function.

Here is the original function at Drupal 4.7.6 comment.module:

function comment_access($op, $comment) {
   global $user;

   if ($op == 'edit') {
     return ($user->uid && $user->uid == $comment->uid && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
   }
 }

And the modified version:


function comment_access($op, $comment) {
   global $user;

   if ($op == 'edit') {
     return ($user->uid && $user->uid == $comment->uid && user_access('post comments without approval') && comment_num_replies($comment->cid) == 0) || user_access('administer comments');
   }
 }

Note that, I've only added a "&& user_access('post comments without approval') " to the return line. This is the unique modification needed to correct this bug.

_________

PD: The code is untested yet. If someone test it under Drupal 4.7.6, reply to this issue.

✨ Feature request

Status

Postponed: needs info

Version

9.5

Component

Comment →

Last updated 11 days ago

Maintained by
🇦🇺Australia @larowlan
🇫🇷France @andypost

Created by

🇪🇸Spain deavidsedice

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇺🇸United States smustgrave
Wonder if this is still relevant for D10?
Comment 11 days ago →
victoria88paul
Thanks for sharing. I found a lot of interesting information here. A really good post Culver's Guest Satisfaction Survey

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024