| Message ID | 20190818072811.28017-1-eschwartz@archlinux.org |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | Move permission for LIST_COMMENTS to dev/tu block | expand |
Will this still allow users to view their own comments? That is a very useful feature that I use often to not forget my conversations On 8/18/19 9:28 AM, Eli Schwartz wrote: > In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented > listing of comments from the account details page , but this was > intended to only be available to TUs and Devs. As the comment says: > "display the comment list if they're a TU/dev" > > The credential checking code, however, set this credential for all > users, contrary to the intention of the commit. > > Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> > --- > web/lib/credentials.inc.php | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php > index c125119..96c7233 100644 > --- a/web/lib/credentials.inc.php > +++ b/web/lib/credentials.inc.php > @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { > $atype = account_from_sid($_COOKIE['AURSID']); > > switch ($credential) { > - case CRED_ACCOUNT_LIST_COMMENTS: > case CRED_PKGBASE_FLAG: > case CRED_PKGBASE_NOTIFY: > case CRED_PKGBASE_VOTE: > @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { > case CRED_ACCOUNT_CHANGE_TYPE: > case CRED_ACCOUNT_EDIT: > case CRED_ACCOUNT_LAST_LOGIN: > + case CRED_ACCOUNT_LIST_COMMENTS: > case CRED_ACCOUNT_SEARCH: > case CRED_COMMENT_DELETE: > case CRED_COMMENT_UNDELETE:
On 8/18/19 4:55 AM, Lars Rustand wrote: > Will this still allow users to view their own comments? That is a very > useful feature that I use often to not forget my conversations No, but I can modify the patch to allow it. Before I did anything, it was inadvertently discovered that not only can users view anyone's comments, which doesn't seem to have been the intended goal, users could also view anyone's *deleted* comments which was entirely not wanted at all. :/ It should be simple to allow users to view the /comments page for their own profile alone.
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php index c125119..96c7233 100644 --- a/web/lib/credentials.inc.php +++ b/web/lib/credentials.inc.php @@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) { $atype = account_from_sid($_COOKIE['AURSID']); switch ($credential) { - case CRED_ACCOUNT_LIST_COMMENTS: case CRED_PKGBASE_FLAG: case CRED_PKGBASE_NOTIFY: case CRED_PKGBASE_VOTE: @@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) { case CRED_ACCOUNT_CHANGE_TYPE: case CRED_ACCOUNT_EDIT: case CRED_ACCOUNT_LAST_LOGIN: + case CRED_ACCOUNT_LIST_COMMENTS: case CRED_ACCOUNT_SEARCH: case CRED_COMMENT_DELETE: case CRED_COMMENT_UNDELETE:
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- web/lib/credentials.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)