[aur-dev][PATCH] Move permission for LIST_COMMENTS to dev/tu block
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- web/lib/credentials.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index c125119..96c7233 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { $atype = account_from_sid($_COOKIE['AURSID']); switch ($credential) { - case CRED_ACCOUNT_LIST_COMMENTS: case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_ACCOUNT_CHANGE_TYPE: case CRED_ACCOUNT_EDIT: case CRED_ACCOUNT_LAST_LOGIN: + case CRED_ACCOUNT_LIST_COMMENTS: case CRED_ACCOUNT_SEARCH: case CRED_COMMENT_DELETE: case CRED_COMMENT_UNDELETE: -- 2.23.0
Will this still allow users to view their own comments? That is a very useful feature that I use often to not forget my conversations On 8/18/19 9:28 AM, Eli Schwartz wrote:
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all users, contrary to the intention of the commit.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- web/lib/credentials.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index c125119..96c7233 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { $atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) { - case CRED_ACCOUNT_LIST_COMMENTS: case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_ACCOUNT_CHANGE_TYPE: case CRED_ACCOUNT_EDIT: case CRED_ACCOUNT_LAST_LOGIN: + case CRED_ACCOUNT_LIST_COMMENTS: case CRED_ACCOUNT_SEARCH: case CRED_COMMENT_DELETE: case CRED_COMMENT_UNDELETE:
On 8/18/19 4:55 AM, Lars Rustand wrote:
Will this still allow users to view their own comments? That is a very useful feature that I use often to not forget my conversations
No, but I can modify the patch to allow it. Before I did anything, it was inadvertently discovered that not only can users view anyone's comments, which doesn't seem to have been the intended goal, users could also view anyone's *deleted* comments which was entirely not wanted at all. :/ It should be simple to allow users to view the /comments page for their own profile alone. -- Eli Schwartz Bug Wrangler and Trusted User
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v2: allow users to view their own comments web/html/account.php | 2 +- web/lib/credentials.inc.php | 2 +- web/template/account_details.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 9695c9b..4bed3df 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "ListComments") { - if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) { + if (has_credential(CRED_ACCOUNT_LIST_COMMENTS), $row["ID"]) { # display the comment list if they're a TU/dev $total_comment_count = account_comments_count($row["ID"]); diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index c125119..96c7233 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { $atype = account_from_sid($_COOKIE['AURSID']); switch ($credential) { - case CRED_ACCOUNT_LIST_COMMENTS: case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_ACCOUNT_CHANGE_TYPE: case CRED_ACCOUNT_EDIT: case CRED_ACCOUNT_LAST_LOGIN: + case CRED_ACCOUNT_LIST_COMMENTS: case CRED_ACCOUNT_SEARCH: case CRED_COMMENT_DELETE: case CRED_COMMENT_UNDELETE: diff --git a/web/template/account_details.php b/web/template/account_details.php index fa6b528..c2167e2 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -82,7 +82,7 @@ <?php if (can_edit_account($row)): ?> <li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li> <?php endif; ?> - <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?> + <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, $row['ID'])): ?> <li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li> <?php endif; ?> </ul></td> -- 2.23.0
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- v3: fix: - typoed end parens in the wrong place causing the page to break - need to cast $row['ID'] to an array web/html/account.php | 2 +- web/lib/credentials.inc.php | 2 +- web/template/account_details.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index 9695c9b..1d59e9c 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) { } } elseif ($action == "ListComments") { - if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) { + if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) { # display the comment list if they're a TU/dev $total_comment_count = account_comments_count($row["ID"]); diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index c125119..96c7233 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { $atype = account_from_sid($_COOKIE['AURSID']); switch ($credential) { - case CRED_ACCOUNT_LIST_COMMENTS: case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_ACCOUNT_CHANGE_TYPE: case CRED_ACCOUNT_EDIT: case CRED_ACCOUNT_LAST_LOGIN: + case CRED_ACCOUNT_LIST_COMMENTS: case CRED_ACCOUNT_SEARCH: case CRED_COMMENT_DELETE: case CRED_COMMENT_UNDELETE: diff --git a/web/template/account_details.php b/web/template/account_details.php index fa6b528..84f8b9c 100644 --- a/web/template/account_details.php +++ b/web/template/account_details.php @@ -82,7 +82,7 @@ <?php if (can_edit_account($row)): ?> <li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li> <?php endif; ?> - <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?> + <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row['ID']))): ?> <li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li> <?php endif; ?> </ul></td> -- 2.23.0
participants (2)
-
Eli Schwartz
-
Lars Rustand