Move permission for LIST_COMMENTS to dev/tu block

In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
author: Eli Schwartz <eschwartz@archlinux.org> 2019-08-18 09:17:05 +0200
committer: Eli Schwartz <eschwartz@archlinux.org> 2019-08-18 19:01:37 +0200
commit: 3ac958ac0167d1c1989fc09e893a578e8a22f21f (patch)
tree: 0529a7543d0ec453d04447038c219dd57cece732 /web/html
parent: 7f008b0bc4610dad15c6dfaaf724d4d5bad84c55 (diff)
download: aur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.gz
aur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.xz
1 files changed, 1 insertions, 1 deletions
diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b7..1d59e9c9 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
 		}
 
 	} elseif ($action == "ListComments") {
-		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+		if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) {
 			# display the comment list if they're a TU/dev
 
 			$total_comment_count = account_comments_count($row["ID"]);
author	Eli Schwartz <eschwartz@archlinux.org>	2019-08-18 09:17:05 +0200
committer	Eli Schwartz <eschwartz@archlinux.org>	2019-08-18 19:01:37 +0200
commit	3ac958ac0167d1c1989fc09e893a578e8a22f21f (patch)
tree	0529a7543d0ec453d04447038c219dd57cece732 /web/html
parent	7f008b0bc4610dad15c6dfaaf724d4d5bad84c55 (diff)
download	aur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.gz aur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.xz