From b8a31dcc72703b4cd597e4ce681abcf6b0a3d507 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Thu, 6 Feb 2014 09:04:10 +0100 Subject: Do not allow unauthenticated users to delete comments Since commit fb7bde3 (Add support for anonymous comments, 2014-02-04), we support comments with no specific author. Add a check to canDeleteComment() and canDeleteCommentArray() to ensure an unauthenticated user cannot delete such comments. Signed-off-by: Lukas Fleischer --- web/lib/pkgfuncs.inc.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php index 80165c9..72daaf4 100644 --- a/web/lib/pkgfuncs.inc.php +++ b/web/lib/pkgfuncs.inc.php @@ -14,6 +14,10 @@ include_once("config.inc.php"); * @return bool True if the user can delete the comment, otherwise false */ function canDeleteComment($comment_id=0, $atype="", $uid=0) { + if (!$uid) { + /* Unauthenticated users cannot delete anything. */ + return false; + } if ($atype == "Trusted User" || $atype == "Developer") { # A TU/Dev can delete any comment return TRUE; @@ -46,7 +50,10 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0) { * @return bool True if the user can delete the comment, otherwise false */ function canDeleteCommentArray($comment, $atype="", $uid=0) { - if ($atype == "Trusted User" || $atype == "Developer") { + if (!$uid) { + /* Unauthenticated users cannot delete anything. */ + return false; + } elseif ($atype == "Trusted User" || $atype == "Developer") { # A TU/Dev can delete any comment return TRUE; } else if ($comment['UsersID'] == $uid) { -- cgit v1.2.3-70-g09d2