moodle/moodle
3
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-08-04 08:26:37 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

MDL-64525 comments: Should not be able to delete frozen comments

Browse source 
Before this change in a frozen context a user would be able to delete
their own comments.

After this change a user will only be able to delete their own comments
if they still have the capability to post new comments or the capability
to delete comments from any user.
This commit is contained in:
Neill Magill 2019-08-09 15:20:16 +01:00
parent 7603ca3080
commit 2987182e16
4 changed files with 43 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
comment/classes/external.php
View file

@ -337,7 +337,7 @@ class core_comment_external extends external_api {
$args->area = $commentrecord->commentarea;
$manager = new comment($args);
if ($commentrecord->userid != $USER->id && !$manager->can_delete($commentrecord->id)) {
if (!$manager->can_delete($commentrecord)) {
throw new comment_exception('nopermissiontodelentry');
}

4
comment/comment_ajax.php
View file

@ -91,8 +91,8 @@ switch ($action) {
}
break;
case 'delete':
$comment_record = $DB->get_record('comments', array('id'=>$commentid));
if ($manager->can_delete($commentid) || $comment_record->userid == $USER->id) {
$comment = $DB->get_record('comments', ['id' => $commentid]);
if ($manager->can_delete($comment)) {
if ($manager->delete($commentid)) {
$result = array(
'client_id' => $client_id,

51
comment/lib.php
View file

@ -589,8 +589,7 @@ class comment {
$c->avatar = $OUTPUT->user_picture($u, array('size'=>18));
$c->userid = $u->id;
$candelete = $this->can_delete($c->id);
if (($USER->id == $u->id) || !empty($candelete)) {
if ($this->can_delete($c)) {
$c->delete = true;
}
$comments[] = $c;
@ -800,16 +799,22 @@ class comment {
/**
* Delete a comment
*
* @param int $commentid
* @param int|stdClass $comment The id of a comment, or a comment record.
* @return bool
*/
public function delete($commentid) {
global $DB, $USER;
$candelete = has_capability('moodle/comment:delete', $this->context);
if (!$comment = $DB->get_record('comments', array('id'=>$commentid))) {
public function delete($comment) {
global $DB;
if (is_object($comment)) {
$commentid = $comment->id;
} else {
$commentid = $comment;
$comment = $DB->get_record('comments', ['id' => $commentid]);
}
if (!$comment) {
throw new comment_exception('dbupdatefailed');
}
if (!($USER->id == $comment->userid || !empty($candelete))) {
if (!$this->can_delete($comment)) {
throw new comment_exception('nopermissiontocomment');
}
$DB->delete_records('comments', array('id'=>$commentid));
@ -976,13 +981,35 @@ class comment {
}
/**
* Returns true if the user can delete this comment
* @param int $commentid
* Returns true if the user can delete this comment.
*
* The user can delete comments if it is one they posted and they can still make posts,
* or they have the capability to delete comments.
*
* A database call is avoided if a comment record is passed.
*
* @param int|stdClass $comment The id of a comment, or a comment record.
* @return bool
*/
public function can_delete($commentid) {
public function can_delete($comment) {
global $USER, $DB;
if (is_object($comment)) {
$commentid = $comment->id;
} else {
$commentid = $comment;
}
$this->validate(array('commentid'=>$commentid));
return has_capability('moodle/comment:delete', $this->context);
if (!is_object($comment)) {
// Get the comment record from the database.
$comment = $DB->get_record('comments', array('id' => $commentid), 'id, userid', MUST_EXIST);
}
$hascapability = has_capability('moodle/comment:delete', $this->context);
$owncomment = $USER->id == $comment->userid;
return ($hascapability || ($owncomment && $this->can_post()));
}
/**