diff options
author | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-02-06 09:04:10 +0100 |
---|---|---|
committer | Lukas Fleischer <archlinux@cryptocrack.de> | 2014-02-06 16:28:33 +0100 |
commit | b8a31dcc72703b4cd597e4ce681abcf6b0a3d507 (patch) | |
tree | e9fe57a6ead2acb1a5118f76142b7e7718889512 /web | |
parent | fb7bde3a6ca049700a691324c21005ae26782584 (diff) | |
download | aurweb-b8a31dcc72703b4cd597e4ce681abcf6b0a3d507.tar.xz |
Do not allow unauthenticated users to delete comments
Since commit fb7bde3 (Add support for anonymous comments, 2014-02-04),
we support comments with no specific author. Add a check to
canDeleteComment() and canDeleteCommentArray() to ensure an
unauthenticated user cannot delete such comments.
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Diffstat (limited to 'web')
-rw-r--r-- | web/lib/pkgfuncs.inc.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 80165c9..72daaf4 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -14,6 +14,10 @@ include_once("config.inc.php"); * @return bool True if the user can delete the comment, otherwise false */ function canDeleteComment($comment_id=0, $atype="", $uid=0) { + if (!$uid) { + /* Unauthenticated users cannot delete anything. */ + return false; + } if ($atype == "Trusted User" || $atype == "Developer") { # A TU/Dev can delete any comment return TRUE; @@ -46,7 +50,10 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0) { * @return bool True if the user can delete the comment, otherwise false */ function canDeleteCommentArray($comment, $atype="", $uid=0) { - if ($atype == "Trusted User" || $atype == "Developer") { + if (!$uid) { + /* Unauthenticated users cannot delete anything. */ + return false; + } elseif ($atype == "Trusted User" || $atype == "Developer") { # A TU/Dev can delete any comment return TRUE; } else if ($comment['UsersID'] == $uid) { |