Anonymous users must not be able to edit other users comments

[Christian Aust]

A user who has the right DISCUSSION_APPEND will see a link "edit" on every comment. Although a lot of users may append to the forum, only moderators or admins must be able to edit other peoples comments.

[Christian Aust]

I fixed it by editing templates/message-list.cs​ lines 113 and 185: You need to check if the current username is not 'anonymous' in addition to the other checks.

# line 113
<?cs if:discussion.is_moderator || ((message.author == discussion.authname) && (discussion.authname != 'anonymous')) ?>
# line 185
<?cs if:discussion.is_moderator || ((discussion.topic.author == discussion.authname) && (discussion.authname != 'anonymous')) ?>

[Radek Bartoň]

Generally there is no mistake in behaviour. When you are anonymous and you create message it is marked with anonymous author. Other unauthorized users with that auth name can edit only that messages. Anonymous users shouldn't be able to edit messages inserted by authenticated users. Is this a behaviour you are experiencing? If I will add anonymous user checking anonyous couldn't be able to edit their own messages. Possible solution wolud be to mark anonymous messages with user session id and check that instead of anonymous auth name. Would it be behaviour you want or you need that anonymous user can't edit even his/her own messages?

[Christian Aust]

Anonymous users shouldn't be able to edit messages inserted by authenticated users.

Yes, you're right.

To edit a message from another user, the current user needs to hold the right DISCUSSION_MODERATE or DISCUSSION_ADMIN, or has to be TRAC_ADMIN. A user that holds DISCUSSION_APPEND should be able to edit his own messages. If (in case of anonymous messages) the user can't be securly identified, the right to edit a message must not be granted. That's the payoff of being able to comment without registering first.

I'm not sure about the session id. If it's feasible to reliably identify an user with it, it could be used. But that's not my top priority.

BTW: Thanks for your quick responses!

[Radek Bartoň]

I edited template as you suggested in changeset 1537. More sophisticated solution as any other changes in DiscussionPlguin will have to wait when I'll have more time.