[v3] Move permission for LIST_COMMENTS to dev/tu block

Message ID 20190818170507.8578-1-eschwartz@archlinux.org
State New
Headers show
Series
  • [v3] Move permission for LIST_COMMENTS to dev/tu block
Related show

Commit Message

Eli Schwartz Aug. 18, 2019, 5:05 p.m. UTC
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"

The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.

In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---

v3: fix:
- typoed end parens in the wrong place causing the page to break
- need to cast $row['ID'] to an array

 web/html/account.php             | 2 +-
 web/lib/credentials.inc.php      | 2 +-
 web/template/account_details.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

Patch

diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b..1d59e9c 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@  if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "ListComments") {
-		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) {
 			# display the comment list if they're a TU/dev
 
 			$total_comment_count = account_comments_count($row["ID"]);
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@  function has_credential($credential, $approved_users=array()) {
 	$atype = account_from_sid($_COOKIE['AURSID']);
 
 	switch ($credential) {
-	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_PKGBASE_FLAG:
 	case CRED_PKGBASE_NOTIFY:
 	case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@  function has_credential($credential, $approved_users=array()) {
 	case CRED_ACCOUNT_CHANGE_TYPE:
 	case CRED_ACCOUNT_EDIT:
 	case CRED_ACCOUNT_LAST_LOGIN:
+	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_ACCOUNT_SEARCH:
 	case CRED_COMMENT_DELETE:
 	case CRED_COMMENT_UNDELETE:
diff --git a/web/template/account_details.php b/web/template/account_details.php
index fa6b528..84f8b9c 100644
--- a/web/template/account_details.php
+++ b/web/template/account_details.php
@@ -82,7 +82,7 @@ 
 					<?php if (can_edit_account($row)): ?>
 						<li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li>
 					<?php endif; ?>
-					<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?>
+					<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row['ID']))): ?>
 						<li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li>
 					<?php endif; ?>
 					</ul></td>