mbirth/LuckyCoinkydink
1
0
Fork 0
Code Issues Pull Requests Activity

serendipity_deleteComment: Check for adminEntriesMaintainOthers

Browse Source 
Please check this patch if it is okay, Garvin. Else redo it.
Now only users owning the depending article or having
adminEntriesMaintainOthers are allowed to delete a comment.
This commit is contained in:
Grischa Brockhaus 2011-12-31 13:47:32 +01:00
parent 0fd5541e51
commit 5c062c4f0b
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
include/functions_comments.inc.php
View File

@ -538,6 +538,17 @@ function serendipity_deleteComment($id, $entry_id, $type='comments', $token=fals
$goodtoken = serendipity_checkCommentToken($token, $id); $goodtoken = serendipity_checkCommentToken($token, $id);
if ($_SESSION['serendipityAuthedUser'] === true || $goodtoken) { if ($_SESSION['serendipityAuthedUser'] === true || $goodtoken) {
// Check for adminEntriesMaintainOthers
if (!serendipity_checkPermission('adminEntriesMaintainOthers')) {
// Load articles author id and check it
$sql = serendipity_db_query("SELECT authorid FROM {$serendipity['dbPrefix']}entries
WHERE entry_id = ". $entry_id, true);
if ($sql['authorid'] != $serendipity['authorid']) {
return false; // wrong user having no adminEntriesMaintainOthers right
}
}
$admin = ''; $admin = '';
if (!$goodtoken && !serendipity_checkPermission('adminEntriesMaintainOthers')) { if (!$goodtoken && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
$admin = " AND authorid = " . (int)$_SESSION['serendipityAuthorid']; $admin = " AND authorid = " . (int)$_SESSION['serendipityAuthorid'];