(fix): only allow the comment owner to edit the comment, not container

1674767b · Mark Harding · 828cc2d2 · 1674767b · 1674767b
Commit 1674767b authored 52 minutes ago by Mark Harding
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

comments.php Controllers/api/v1/comments.php +8 -1

comments.php Controllers/api/v2/comments.php +8 -1

No files found.
--- a/Controllers/api/v1/comments.php
+++ b/Controllers/api/v1/comments.php
@@ -99,7 +99,14 @@ class comments implements Interfaces\Api
 switch ($pages[0]) { 
 case "update": 
 $comment = $manager->getByLuid($pages[1]); 
- if (!$comment || !$comment->canEdit()) { 
+ 
+ $canEdit = $comment->canEdit(); 
+ 
+ if ($canEdit && $comment->getOwnerGuid() != Core\Session::getLoggedInUserGuid()) { 
+ $canEdit = false; 
+ } 
+ 
+ if (!$comment || !$canEdit) { 
 $response = array('status' => 'error', 'message' => 'This comment can not be edited'); 
 break; 
 } 

--- a/Controllers/api/v2/comments.php
+++ b/Controllers/api/v2/comments.php
@@ -92,7 +92,14 @@ class comments implements Interfaces\Api
 switch ($pages[0]) { 
 case "update": 
 $comment = $manager->getByLuid($pages[1]); 
- if (!$comment || !$comment->canEdit()) { 
+ 
+ $canEdit = $comment->canEdit(); 
+ 
+ if ($canEdit && $comment->getOwnerGuid() != Core\Session::getLoggedInUserGuid()) { 
+ $canEdit = false; 
+ } 
+ 
+ if (!$comment || !$canEdit) { 
 $response = array('status' => 'error', 'message' => 'This comment can not be edited'); 
 break; 
 }