From b8a31dcc72703b4cd597e4ce681abcf6b0a3d507 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 6 Feb 2014 09:04:10 +0100
Subject: Do not allow unauthenticated users to delete comments

Since commit fb7bde3 (Add support for anonymous comments, 2014-02-04),
we support comments with no specific author. Add a check to
canDeleteComment() and canDeleteCommentArray() to ensure an
unauthenticated user cannot delete such comments.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/pkgfuncs.inc.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'web')

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 80165c9..72daaf4 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -14,6 +14,10 @@ include_once("config.inc.php");
  * @return bool True if the user can delete the comment, otherwise false
  */
 function canDeleteComment($comment_id=0, $atype="", $uid=0) {
+	if (!$uid) {
+		/* Unauthenticated users cannot delete anything. */
+		return false;
+	}
 	if ($atype == "Trusted User" || $atype == "Developer") {
 		# A TU/Dev can delete any comment
 		return TRUE;
@@ -46,7 +50,10 @@ function canDeleteComment($comment_id=0, $atype="", $uid=0) {
  * @return bool True if the user can delete the comment, otherwise false
  */
 function canDeleteCommentArray($comment, $atype="", $uid=0) {
-	if ($atype == "Trusted User" || $atype == "Developer") {
+	if (!$uid) {
+		/* Unauthenticated users cannot delete anything. */
+		return false;
+	} elseif ($atype == "Trusted User" || $atype == "Developer") {
 		# A TU/Dev can delete any comment
 		return TRUE;
 	} else if ($comment['UsersID'] == $uid) {
-- 
cgit v1.2.3-54-g00ecf