[aur-dev][PATCH v3] Move permission for LIST_COMMENTS to dev/tu block
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
Signed-off-by: Eli Schwartz
---
v3: fix:
- typoed end parens in the wrong place causing the page to break
- need to cast $row['ID'] to an array
web/html/account.php | 2 +-
web/lib/credentials.inc.php | 2 +-
web/template/account_details.php | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b..1d59e9c 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "ListComments") {
- if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+ if (has_credential(CRED_ACCOUNT_LIST_COMMENTS,
array($row["ID"]))) {
# display the comment list if they're a TU/dev
$total_comment_count =
account_comments_count($row["ID"]);
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array())
{
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
- case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array())
{
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
+ case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
diff --git a/web/template/account_details.php b/web/template/account_details.php
index fa6b528..84f8b9c 100644
--- a/web/template/account_details.php
+++ b/web/template/account_details.php
@@ -82,7 +82,7 @@
-
+
--
2.23.0
Re: [aur-dev][PATCH] Move permission for LIST_COMMENTS to dev/tu block
On 8/18/19 4:55 AM, Lars Rustand wrote: > Will this still allow users to view their own comments? That is a very > useful feature that I use often to not forget my conversations No, but I can modify the patch to allow it. Before I did anything, it was inadvertently discovered that not only can users view anyone's comments, which doesn't seem to have been the intended goal, users could also view anyone's *deleted* comments which was entirely not wanted at all. :/ It should be simple to allow users to view the /comments page for their own profile alone. -- Eli Schwartz Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
[aur-dev][PATCH v2] Move permission for LIST_COMMENTS to dev/tu block
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
Signed-off-by: Eli Schwartz
---
v2: allow users to view their own comments
web/html/account.php | 2 +-
web/lib/credentials.inc.php | 2 +-
web/template/account_details.php | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/web/html/account.php b/web/html/account.php
index 9695c9b..4bed3df 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "ListComments") {
- if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
+ if (has_credential(CRED_ACCOUNT_LIST_COMMENTS), $row["ID"]) {
# display the comment list if they're a TU/dev
$total_comment_count =
account_comments_count($row["ID"]);
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array())
{
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
- case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array())
{
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
+ case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
diff --git a/web/template/account_details.php b/web/template/account_details.php
index fa6b528..c2167e2 100644
--- a/web/template/account_details.php
+++ b/web/template/account_details.php
@@ -82,7 +82,7 @@
-
+
--
2.23.0
Re: [aur-dev][PATCH] Move permission for LIST_COMMENTS to dev/tu block
Will this still allow users to view their own comments? That is a very
useful feature that I use often to not forget my conversations
On 8/18/19 9:28 AM, Eli Schwartz wrote:
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
Signed-off-by: Eli Schwartz
---
web/lib/credentials.inc.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array())
{
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
- case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array())
{
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
+ case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
[aur-dev][PATCH] Move permission for LIST_COMMENTS to dev/tu block
In commit 3578e77ad4e9258495eed7e786b7dc3aebcf1b63 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"
The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.
Signed-off-by: Eli Schwartz
---
web/lib/credentials.inc.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/lib/credentials.inc.php b/web/lib/credentials.inc.php
index c125119..96c7233 100644
--- a/web/lib/credentials.inc.php
+++ b/web/lib/credentials.inc.php
@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array())
{
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
- case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array())
{
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
+ case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
--
2.23.0
