Verified Commit 3ac958ac authored by Eli Schwartz's avatar Eli Schwartz
Browse files

Move permission for LIST_COMMENTS to dev/tu block

In commit 3578e77a we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"

The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.

In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
parent 7f008b0b
......@@ -167,7 +167,7 @@ if (isset($_COOKIE["AURSID"])) {
}
} elseif ($action == "ListComments") {
if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)) {
if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row["ID"]))) {
# display the comment list if they're a TU/dev
$total_comment_count = account_comments_count($row["ID"]);
......
......@@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) {
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
......@@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) {
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE:
......
......@@ -82,7 +82,7 @@
<?php if (can_edit_account($row)): ?>
<li><a href="<?= get_user_uri($row['Username']); ?>edit"><?= __("Edit this user's account") ?></a></li>
<?php endif; ?>
<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS)): ?>
<?php if (has_credential(CRED_ACCOUNT_LIST_COMMENTS, array($row['ID']))): ?>
<li><a href="<?= get_user_uri($row['Username']); ?>comments"><?= __("List this user's comments") ?></a></li>
<?php endif; ?>
</ul></td>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment