comment_access() doesn't validate the $comment object

Created on 27 August 2015, almost 9 years ago
Updated 16 May 2023, about 1 year ago

Problem/Motivation

The comment_access() function is returning TRUE when $comment is set to FALSE.

return comment_access('edit', FALSE);

The above code returns TRUE resulting in false positives when modules call comment_access() without first verifying the comment object.

Proposed resolution

It seems to me that we cannot determine whether or not a user has access to a comment without first validating that we have a comment object to check against. Therefore, I think the comment_access() function should validate that it has a valid comment object it is working with.

Remaining tasks

  • Write patch
  • Test patch
  • Commit patch
πŸ› Bug report
Status

Needs work

Version

7.0 ⚰️

Component
CommentΒ  β†’

Last updated 2 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States jantoine

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡ΈπŸ‡°Slovakia poker10

    Similar function (node_access()) does verify the node object:

      if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) {
        // If there was no node to check against, or the $op was not one of the
        // supported ones, we return access denied.
        return FALSE;
      }
    

    We can probably do the same and check if the comment is not empty.

      if (!$comment) {
        return FALSE;
      }
    

    I think this would be sufficient, as node module does not verify if the nid is numeric either. It would be great to add a simple test for this along with the simplification of the patch mentioned earlier. Thanks!

Production build 0.69.0 2024