comment_access() doesn't validate the $comment object

Created on 27 August 2015, almost 9 years ago

Updated 16 May 2023, about 1 year ago

Problem/Motivation

The comment_access() function is returning TRUE when $comment is set to FALSE.

return comment_access('edit', FALSE);

The above code returns TRUE resulting in false positives when modules call comment_access() without first verifying the comment object.

Proposed resolution

It seems to me that we cannot determine whether or not a user has access to a comment without first validating that we have a comment object to check against. Therefore, I think the comment_access() function should validate that it has a valid comment object it is working with.

Remaining tasks

Write patch
Test patch
Commit patch

🐛 Bug report

Status

Needs work

Version

7.0 ⚰️

Component

Comment →

Last updated 2 days ago

Maintained by
🇦🇺Australia @larowlan
🇫🇷France @andypost

Created by

🇺🇸United States jantoine

Live updates comments and jobs are added and updated live.

Needs tests
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
🇸🇰Slovakia poker10
Similar function (node_access()) does verify the node object:

if (!$node || !in_array($op, array('view', 'update', 'delete', 'create'), TRUE)) { // If there was no node to check against, or the $op was not one of the // supported ones, we return access denied. return FALSE; }
We can probably do the same and check if the comment is not empty.

if (!$comment) { return FALSE; }
I think this would be sufficient, as node module does not verify if the nid is numeric either. It would be great to add a simple test for this along with the simplification of the patch mentioned earlier. Thanks!

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024