Visiting the comment approval link for a published comment causes 403

Created on 22 March 2010, over 14 years ago

Updated 18 February 2023, almost 2 years ago

Problem/Motivation

Visiting the approval URL for a comment that is already published gives a 403 response. Access denied is not really correct, the user has access, it's just already published.

Steps to reproduce

Install Drupal
Add an article
Post a comment and make sure it is unpublished
Copy the URL to approve the comment
Publish/approve the comment
Visit the approve URL again
Get 'Access Denied' message

Proposed resolution

#16 suggests allowing access to the URL but showing a message, e.g., "This comment is published."

Remaining tasks

Agree on the ideal behaviour
Write a patch with tests
Review

User interface changes

N/A

API changes

N/A

Data model changes

N/A

Release notes snippet

N/A

Original issue summary

This was pointed out by @webchick somewhere and passed along through several issues - see e.g. #66264-29: Remove CSRF vulnerability from comment module → .

The bug is a relatively minor one, but if you try to approve a comment that is already published (by visiting the appropriate comment/%/approve URL directly), you are not prevented from doing so - instead you get a "Comment approved" message on the screen.

We should at least change the message in that case, if not prevent it via the access callback completely (the latter because if anyone tries to use this link as anything other than a menu callback, they presumably don't want the "approve" link to show up in places where it doesn't make sense).

🐛 Bug report

Status

Needs work

Version

10.1 ✨

Component

Comment →

Last updated about 2 hours ago

Maintained by
🇦🇺Australia @larowlan
🇫🇷France @andypost

Created by

🇺🇸United States David_Rothstein

Live updates comments and jobs are added and updated live.

Needs backport to D7
After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Needs beta evaluation
Since the first beta of Drupal 8 was released, every new 8.0.x issue should have a beta evaluation in the summary, to help clarify whether the 8.0.0 release is a target for that issue.

#DHCSprint

Bug Smash Initiative

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States smustgrave
Can we update MR to 10.1 please.
First commit to issue fork.
@rpayanm opened merge request.
Status changed to Needs review almost 2 years ago8:44pm 3 February 2023
Comment almost 2 years ago →
🇺🇾Uruguay rpayanm
Please review.
Comment almost 2 years ago →
🇦🇺Australia lyricnz
I can't believe this issue is still open! :)
Status changed to Needs work almost 2 years ago12:07am 18 February 2023
Comment almost 2 years ago →
🇺🇸United States smustgrave
This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request → as a guide.

Seems the D10 MR 3384 has some failures.

@andypost and @larowlan does #47 answer your comments about security?

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024