Visiting the comment approval link for a published comment causes 403

Created on 22 March 2010, almost 15 years ago
Updated 18 February 2023, almost 2 years ago

Problem/Motivation

Visiting the approval URL for a comment that is already published gives a 403 response. Access denied is not really correct, the user has access, it's just already published.

Steps to reproduce

  1. Install Drupal
  2. Add an article
  3. Post a comment and make sure it is unpublished
  4. Copy the URL to approve the comment
  5. Publish/approve the comment
  6. Visit the approve URL again
  7. Get 'Access Denied' message

Proposed resolution

#16 suggests allowing access to the URL but showing a message, e.g., "This comment is published."

Remaining tasks

  1. Agree on the ideal behaviour
  2. Write a patch with tests
  3. Review

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

Original issue summary

This was pointed out by @webchick somewhere and passed along through several issues - see e.g. #66264-29: Remove CSRF vulnerability from comment module β†’ .

The bug is a relatively minor one, but if you try to approve a comment that is already published (by visiting the appropriate comment/%/approve URL directly), you are not prevented from doing so - instead you get a "Comment approved" message on the screen.

We should at least change the message in that case, if not prevent it via the access callback completely (the latter because if anyone tries to use this link as anything other than a menu callback, they presumably don't want the "approve" link to show up in places where it doesn't make sense).

πŸ› Bug report
Status

Needs work

Version

10.1 ✨

Component
CommentΒ  β†’

Last updated 12 days ago

Created by

πŸ‡ΊπŸ‡ΈUnited States David_Rothstein

Live updates comments and jobs are added and updated live.
  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

  • Needs beta evaluation

    Since the first beta of Drupal 8 was released, every new 8.0.x issue should have a beta evaluation in the summary, to help clarify whether the 8.0.0 release is a target for that issue.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024