Modify

Opened 8 years ago

Closed 8 years ago

#893 closed defect (fixed)

Anonymous users must not be able to edit other users comments

Reported by: datenimperator Owned by: Blackhex
Priority: normal Component: DiscussionPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10

Description

A user who has the right DISCUSSION_APPEND will see a link "edit" on every comment. Although a lot of users may append to the forum, only moderators or admins must be able to edit other peoples comments.

Attachments (0)

Change History (4)

comment:1 Changed 8 years ago by datenimperator

I fixed it by editing templates/message-list.cs lines 113 and 185: You need to check if the current username is not 'anonymous' in addition to the other checks.

# line 113
<?cs if:discussion.is_moderator || ((message.author == discussion.authname) && (discussion.authname != 'anonymous')) ?>
# line 185
<?cs if:discussion.is_moderator || ((discussion.topic.author == discussion.authname) && (discussion.authname != 'anonymous')) ?>

comment:2 Changed 8 years ago by Blackhex

  • Status changed from new to assigned

Generally there is no mistake in behaviour. When you are anonymous and you create message it is marked with anonymous author. Other unauthorized users with that auth name can edit only that messages. Anonymous users shouldn't be able to edit messages inserted by authenticated users. Is this a behaviour you are experiencing? If I will add anonymous user checking anonyous couldn't be able to edit their own messages. Possible solution wolud be to mark anonymous messages with user session id and check that instead of anonymous auth name. Would it be behaviour you want or you need that anonymous user can't edit even his/her own messages?

comment:3 Changed 8 years ago by datenimperator

Anonymous users shouldn't be able to edit messages inserted by authenticated users.

Yes, you're right.

To edit a message from another user, the current user needs to hold the right DISCUSSION_MODERATE or DISCUSSION_ADMIN, or has to be TRAC_ADMIN. A user that holds DISCUSSION_APPEND should be able to edit his own messages. If (in case of anonymous messages) the user can't be securly identified, the right to edit a message must not be granted. That's the payoff of being able to comment without registering first.

I'm not sure about the session id. If it's feasible to reliably identify an user with it, it could be used. But that's not my top priority.

BTW: Thanks for your quick responses!

comment:4 Changed 8 years ago by Blackhex

  • Resolution set to fixed
  • Status changed from assigned to closed

I edited template as you suggested in changeset 1537. More sophisticated solution as any other changes in DiscussionPlguin will have to wait when I'll have more time.

Add Comment

Modify Ticket

Action
as closed The owner will remain Blackhex.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.