From d136d7c874cd3fbc012ca43250c64deb9e791b94 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Tue, 29 Jul 2014 15:17:58 +0200
Subject: Allow users to delete their own comments

Fixes a regression introduced in 03c6304 (Rework permission handling,
2014-07-15). Fixes FS#41379.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
---
 web/lib/pkgfuncs.inc.php | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 69b1c94c..defe7f45 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -13,27 +13,19 @@ include_once("pkgbasefuncs.inc.php");
  * @return bool True if the user can delete the comment, otherwise false
  */
 function can_delete_comment($comment_id=0) {
-	if (!uid_from_sid($_COOKIE["AURSID"])) {
-		/* Unauthenticated users cannot delete anything. */
-		return false;
-	}
-	if (has_credential(CRED_COMMENT_DELETE)) {
-		/* TUs and developers can delete any comment. */
-		return true;
-	}
-
 	$dbh = DB::connect();
 
-	$q = "SELECT COUNT(*) FROM PackageComments ";
-	$q.= "WHERE ID = " . intval($comment_id) . " AND UsersID = " . $uid;
+	$q = "SELECT UsersID FROM PackageComments ";
+	$q.= "WHERE ID = " . intval($comment_id);
 	$result = $dbh->query($q);
 
 	if (!$result) {
 		return false;
 	}
 
-	$row = $result->fetch(PDO::FETCH_NUM);
-	return ($row[0] > 0);
+	$uid = $result->fetch(PDO::FETCH_COLUMN, 0);
+
+	return has_credential(CRED_COMMENT_DELETE, array($uid));
 }
 
 /**
-- 
cgit v1.2.3-24-g4f1b