From 5c062c4f0b30f5efebcae04e4a76299267d1e1c5 Mon Sep 17 00:00:00 2001
From: Grischa Brockhaus <github@brockha.us>
Date: Sat, 31 Dec 2011 13:47:32 +0100
Subject: [PATCH] serendipity_deleteComment: Check for
 adminEntriesMaintainOthers Please check this patch if it is okay, Garvin.
 Else redo it. Now only users owning the depending article or having
 adminEntriesMaintainOthers are allowed to delete a comment.

---
 include/functions_comments.inc.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 58db5e45..dbe648b6 100644
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -538,6 +538,17 @@ function serendipity_deleteComment($id, $entry_id, $type='comments', $token=fals
     $goodtoken = serendipity_checkCommentToken($token, $id);
 
     if ($_SESSION['serendipityAuthedUser'] === true || $goodtoken) {
+        
+        // Check for adminEntriesMaintainOthers
+        if (!serendipity_checkPermission('adminEntriesMaintainOthers')) {
+            // Load articles author id and check it
+            $sql = serendipity_db_query("SELECT authorid FROM {$serendipity['dbPrefix']}entries
+                                                WHERE entry_id = ". $entry_id, true);
+            if ($sql['authorid'] != $serendipity['authorid']) { 
+                return false; // wrong user having no adminEntriesMaintainOthers right
+            }
+        }
+        
         $admin = '';
         if (!$goodtoken && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
             $admin = " AND authorid = " . (int)$_SESSION['serendipityAuthorid'];