summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz@archlinux.org>2019-08-18 09:17:05 +0200
committerEli Schwartz <eschwartz@archlinux.org>2019-08-18 19:01:37 +0200
commit3ac958ac0167d1c1989fc09e893a578e8a22f21f (patch)
tree0529a7543d0ec453d04447038c219dd57cece732 /web
parent7f008b0bc4610dad15c6dfaaf724d4d5bad84c55 (diff)
downloadaur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.gz
aur-3ac958ac0167d1c1989fc09e893a578e8a22f21f.tar.xz
Move permission for LIST_COMMENTS to dev/tu block
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented listing of comments from the account details page , but this was intended to only be available to TUs and Devs. As the comment says: "display the comment list if they're a TU/dev" The credential checking code, however, set this credential for all users, contrary to the intention of the commit. In order to preserve the ability to list a person's own comments, also declare the allowed uids based on the profile being viewed.
Diffstat (limited to 'web')
-rw-r--r--web/html/account.php2
-rw-r--r--web/lib/credentials.inc.php2
-rw-r--r--web/template/account_details.php2
3 files changed, 3 insertions, 3 deletions
diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b7..1d59e9c9 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "ListComments") {
- if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+ if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) {
# display the comment list if they're a TU/dev
$total_comment_count = account_comments_count($row["ID"]);
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c1251197..96c72339 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) {
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
- case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) {
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
+ case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
diff --git a/web/template/account_details.php b/web/template/account_details.php
index fa6b528c..84f8b9c5 100644
--- a/web/template/account_details.php
+++ b/web/template/account_details.php
@@ -82,7 +82,7 @@
<?php if (can_edit_account($row)): ?>
<li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li>
<?php endif; ?>
- <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?>
+ <?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row['ID']))): ?>
<li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li>
<?php endif; ?>
</ul></td>