From patchwork Sun Aug 18 17:05:07 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eli Schwartz <eschwartz@archlinux.org>
X-Patchwork-Id: 1208
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 7FED811B4B6AB
	for <patchwork@archlinux.org>; Sun, 18 Aug 2019 17:05:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on apollo
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
	DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001,
	T_DMARC_POLICY_NONE=0.01 autolearn=unavailable autolearn_force=no
	version=3.4.2
X-Spam-BL-Results: 
 <dns:1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.8.0.6.0.6.1.0.8.f.4.0.1.0.a.2.list.dnswl.org>
	[127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Sun, 18 Aug 2019 17:05:57 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 7D8C2149D16BBC;
	Sun, 18 Aug 2019 17:05:56 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by orion.archlinux.org (Postfix) with ESMTPS;
	Sun, 18 Aug 2019 17:05:56 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 674972C4A7;
	Sun, 18 Aug 2019 17:05:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1566147956;
	bh=pTpWeA4MNetzKZa75WA0347SaeTZsE9eAvsvNRaIfM8=;
	h=From:To:Subject:Date:In-Reply-To:References:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe;
	b=SG+i774HkAI72CwDiIRanrxTExwCUyU00nVU4MrkwiOI3MrGnzMMNBmOfkyCLyk11
	 aCL3xDOQNcNAIlijdzTtoms/0gI3mUp51ji/ncHXqOMvdmYYDyA5EEQM9Xxp9N0mlz
	 Hdh1PyFde6AJhrBNLwl1R4uOu6/HQq6UN89IhqRjsmIBWoDpRkNwd+SJkwnAYaG/pf
	 PVBpziWxnSXI5QH0qmhq22RN5FUdqFc254TCQ/rDZeNT9wg1JkyiDTG7Ia9xcrKbEw
	 P9txx45Luv10DeoQ0KWeV5Atvrc2xHukCuLD3WrW3jlv1bQ1mt+V0scnaf/iRgoMaw
	 3Rj/5qzsw+RnH8VvHKRfwcQSvvm8cy20onhs+FrDOnnleZrnd0uW8T+Ks1Bgtjom/1
	 UjNh8oTKFPFdKqEfNkJNUWKboVzP+9J3HC/IkHhIX0lO+PyTxQ34A8LPQHgaYK6/WX
	 u0iyn8NcAabOdRw4IwurWtfoUiFwBBHzrTX9E/sAl9igQsqu89uhSq1ByHB+4kQlsU
	 AXz1WpFbrPtwAKwQIDQHSei+NHWyO90Mu5m75M2Ujbkxk14NtBJri/ZHEdkrE6sXFd
	 SUH9TKvZ8zB+hGisnxnHioX+t3xnK0M3vEYUBILc7BzDev1Krso+vztoUFmtCSUCKH
	 8wWOdp9kniQJv3CQmQMY0rAk=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 825DF2C231
 for <aur-dev@lists.archlinux.org>; Sun, 18 Aug 2019 17:05:53 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Sun, 18 Aug 2019 17:05:53 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 4137A149D16BB8;
 Sun, 18 Aug 2019 17:05:47 +0000 (UTC)
Received: from didactylos.attlocal.net (unknown
 [IPv6:2600:1700:57f0:ca20:763a:c795:fcf6:91ea])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: eschwartz)
 by orion.archlinux.org (Postfix) with ESMTPSA id B2608149D16BB7;
 Sun, 18 Aug 2019 17:05:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1566147947;
 bh=pTpWeA4MNetzKZa75WA0347SaeTZsE9eAvsvNRaIfM8=;
 h=From:To:Subject:Date:In-Reply-To:References;
 b=hWkwau87iUWqOC/tGoyn7mVHkDLRzgpJnZnlWJ+dsUGGBHHWFMl4w5lUwUMOScikJ
 ekhh7TyuFerbLMWLCTRRFW8sYVFrJV0a3b8mZWgf9Uv5EUkUwycYzQ0wzHHN7Yx0Qj
 bkAkkJUDQiQaL2hcBC2BVIHFwyTAMPZAiNMyCsMPh7Lkr9Aw5BiZr0GauYn0s/CTxV
 mCT9k1N9IqNxS6PiTNzE9amRIxauI8XlfoBIIPoU5O9CPTHBFe/CA3UQHvBnz43q4K
 LA/p0KGzVuQBgE7TiSXV/5N8OuLIgQEeC3MabSc72OvLKXufTTmsnWrG+lwF2HBlrm
 88zwa1ff4Zrl4jyKLV4oKSGjUgrKOjCqyfJ7m5MXng/9vwT0v1yLRzs3XN+MH2IIrn
 kNMYGe8/fUHjU3FojYxms7cmSI1i8BrjFbmMWyLoRSUK8H4ZzLH8ooUkJRpDsfYGbU
 g6YbKsO/iiJwcXMW0nX2rNIkgTE1jFrx9kAc8jGSDdm23rgycarkhp5Ag2QYTiKrJT
 zuLk/z8o9FSZjRjnxILu65glgnvXxzqbU2Tpl3SVTyX+Mt+2wjehed4A+/aftHTTaH
 +rlp37Kv6LsF7NNl06gietlAXKVI4AyAxR8pk8FwhOiDJUqeXD3sCwLeyOFTSFIMKx
 aJ5VF/0xzPD0aiIxEVrrIaYk=
From: Eli Schwartz <eschwartz@archlinux.org>
To: aur-dev@archlinux.org
Subject: [aur-dev][PATCH v3] Move permission for LIST_COMMENTS to dev/tu block
Date: Sun, 18 Aug 2019 13:05:07 -0400
Message-Id: <20190818170507.8578-1-eschwartz@archlinux.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <c24ea3c3-2dae-6a67-b0ef-8e79240795cf@gmail.com>
References: <c24ea3c3-2dae-6a67-b0ef-8e79240795cf@gmail.com>
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"

The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.

In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---

v3: fix:
- typoed end parens in the wrong place causing the page to break
- need to cast $row['ID'] to an array

 web/html/account.php             | 2 +-
 web/lib/credentials.inc.php      | 2 +-
 web/template/account_details.php | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b..1d59e9c 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "ListComments") {
-		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) {
 			# display the comment list if they're a TU/dev
 
 			$total_comment_count = account_comments_count($row["ID"]);
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) {
 	$atype = account_from_sid($_COOKIE['AURSID']);
 
 	switch ($credential) {
-	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_PKGBASE_FLAG:
 	case CRED_PKGBASE_NOTIFY:
 	case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) {
 	case CRED_ACCOUNT_CHANGE_TYPE:
 	case CRED_ACCOUNT_EDIT:
 	case CRED_ACCOUNT_LAST_LOGIN:
+	case CRED_ACCOUNT_LIST_COMMENTS:
 	case CRED_ACCOUNT_SEARCH:
 	case CRED_COMMENT_DELETE:
 	case CRED_COMMENT_UNDELETE:
diff --git a/web/template/account_details.php b/web/template/account_details.php
index fa6b528..84f8b9c 100644
--- a/web/template/account_details.php
+++ b/web/template/account_details.php
@@ -82,7 +82,7 @@
 					<?php if (can_edit_account($row)): ?>
 						<li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li>
 					<?php endif; ?>
-					<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?>
+					<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row['ID']))): ?>
 						<li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li>
 					<?php endif; ?>
 					</ul></td>