Move permission for LIST_COMMENTS to dev/tu block

Message ID 20190818072811.28017-1-eschwartz@archlinux.org
State Superseded, archived
Headers show
Series Move permission for LIST_COMMENTS to dev/tu block | expand

Commit Message

Eli Schwartz Aug. 18, 2019, 7:28 a.m. UTC
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"

The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 web/lib/credentials.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Lars Rustand Aug. 18, 2019, 8:55 a.m. UTC | #1
Will this still allow users to view their own comments? That is a very 
useful feature that I use often to not forget my conversations

On 8/18/19 9:28 AM, Eli Schwartz wrote:
> In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
> listing of comments from the account details page , but this was
> intended to only be available to TUs and Devs. As the comment says:
> "display the comment list if they're a TU/dev"
>
> The credential checking code, however, set this credential for all
> users, contrary to the intention of the commit.
>
> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
> ---
>   web/lib/credentials.inc.php | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
> index c125119..96c7233 100644
> --- a/web/lib/credentials.inc.php
> +++ b/web/lib/credentials.inc.php
> @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) {
>   	$atype = account_from_sid($_COOKIE['AURSID']);
>   
>   	switch ($credential) {
> -	case CRED_ACCOUNT_LIST_COMMENTS:
>   	case CRED_PKGBASE_FLAG:
>   	case CRED_PKGBASE_NOTIFY:
>   	case CRED_PKGBASE_VOTE:
> @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) {
>   	case CRED_ACCOUNT_CHANGE_TYPE:
>   	case CRED_ACCOUNT_EDIT:
>   	case CRED_ACCOUNT_LAST_LOGIN:
> +	case CRED_ACCOUNT_LIST_COMMENTS:
>   	case CRED_ACCOUNT_SEARCH:
>   	case CRED_COMMENT_DELETE:
>   	case CRED_COMMENT_UNDELETE:
Eli Schwartz Aug. 18, 2019, 4:47 p.m. UTC | #2
On 8/18/19 4:55 AM, Lars Rustand wrote:
> Will this still allow users to view their own comments? That is a very
> useful feature that I use often to not forget my conversations

No, but I can modify the patch to allow it.

Before I did anything, it was inadvertently discovered that not only can
users view anyone's comments, which doesn't seem to have been the
intended goal, users could also view anyone's *deleted* comments which
was entirely not wanted at all. :/

It should be simple to allow users to view the /comments page for their
own profile alone.

Patch

diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@  function has_credential($credential, $approved_users=array()) {
 	$atype = account_from_sid($_COOKIE['AURSID']);
 
 	switch ($credential) {
-	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_PKGBASE_FLAG:
 	case CRED_PKGBASE_NOTIFY:
 	case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@  function has_credential($credential, $approved_users=array()) {
 	case CRED_ACCOUNT_CHANGE_TYPE:
 	case CRED_ACCOUNT_EDIT:
 	case CRED_ACCOUNT_LAST_LOGIN:
+	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_ACCOUNT_SEARCH:
 	case CRED_COMMENT_DELETE:
 	case CRED_COMMENT_UNDELETE: