Opened 12 years ago

Closed 12 years ago

#893 closed defect (fixed)

Anonymous users must not be able to edit other users comments

Reported by: Christian Aust Owned by: Radek Bartoň
Priority: normal Component: DiscussionPlugin
Severity: critical Keywords:
Cc: Trac Release: 0.10


A user who has the right DISCUSSION_APPEND will see a link "edit" on every comment. Although a lot of users may append to the forum, only moderators or admins must be able to edit other peoples comments.

Attachments (0)

Change History (4)

comment:1 Changed 12 years ago by Christian Aust

I fixed it by editing templates/message-list.cs lines 113 and 185: You need to check if the current username is not 'anonymous' in addition to the other checks.

# line 113
<?cs if:discussion.is_moderator || (( == discussion.authname) && (discussion.authname != 'anonymous')) ?>
# line 185
<?cs if:discussion.is_moderator || (( == discussion.authname) && (discussion.authname != 'anonymous')) ?>

comment:2 Changed 12 years ago by Radek Bartoň

Status: newassigned

Generally there is no mistake in behaviour. When you are anonymous and you create message it is marked with anonymous author. Other unauthorized users with that auth name can edit only that messages. Anonymous users shouldn't be able to edit messages inserted by authenticated users. Is this a behaviour you are experiencing? If I will add anonymous user checking anonyous couldn't be able to edit their own messages. Possible solution wolud be to mark anonymous messages with user session id and check that instead of anonymous auth name. Would it be behaviour you want or you need that anonymous user can't edit even his/her own messages?

comment:3 Changed 12 years ago by Christian Aust

Anonymous users shouldn't be able to edit messages inserted by authenticated users.

Yes, you're right.

To edit a message from another user, the current user needs to hold the right DISCUSSION_MODERATE or DISCUSSION_ADMIN, or has to be TRAC_ADMIN. A user that holds DISCUSSION_APPEND should be able to edit his own messages. If (in case of anonymous messages) the user can't be securly identified, the right to edit a message must not be granted. That's the payoff of being able to comment without registering first.

I'm not sure about the session id. If it's feasible to reliably identify an user with it, it could be used. But that's not my top priority.

BTW: Thanks for your quick responses!

comment:4 Changed 12 years ago by Radek Bartoň

Resolution: fixed
Status: assignedclosed

I edited template as you suggested in changeset 1537. More sophisticated solution as any other changes in DiscussionPlguin will have to wait when I'll have more time.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Radek Bartoň.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.