Opened 3 years ago
Last modified 11 months ago
#2139 reopened Defect
Anyone can delete comments on a page
| Reported by: | cash | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Elgg 1.9.0 |
| Component: | Pages | Version: | 1.7 |
| Severity: | minor | Keywords: | |
| Cc: | brettp | Difficulty: |
Description (last modified by brettp)
If the page has public write permissions, anyone can delete comments on the page or delete the page. I think they should not be able to delete comments and perhaps not delete the page (delete should be reserved to the owner and administrators).
This is how it works with comments:
- The annotation canEdit() method is called (and it wraps can_edit_extender())
- This calls can_edit_entity() on the entity that was commented on
- This recursively calls canEdit() on the container of the entity
- After that check, a permissions check plugin hook is triggered
- The pages permission hook tests whether the user can edit the page and if so, returns true
- Control is returned to can_edit_extender() and it returns the value without called the plugin hook for permissions hook annotations
There are two possibilities:
- Use some sort of context information to detect that this is a delete request and treat it differently
- Rather than skipping the permissions check for annotations, pass in the current return value and let the permissions check override it. It'd be nice to override any of the previous checks in can_edit_extender()
Change History (9)
comment:1 Changed 3 years ago by cash
comment:2 Changed 2 years ago by cash
- Milestone changed from Elgg 1.8 to Elgg 1.8.1
comment:3 Changed 16 months ago by cash
- Component changed from Core to Pages
- Milestone changed from Elgg 1.8.x to Elgg 1.8.5
lets get a fix in there for pages plugin
comment:4 Changed 13 months ago by sembrestels
+1 to canDelete() method.
By default it should return the same value of canEdit(), but if you override it, you can do it more restrictive.
The first restriction example will be in pages plugin.
comment:5 Changed 13 months ago by Brett Profitt
Refs #2139. Checking in pages delete action for owner / admin
Changeset: a198fe67109af23a398f8a152d693074dc041396
comment:6 Changed 13 months ago by brettp
- Description modified (diff)
- Milestone changed from Elgg 1.8.5 to Elgg 1.9.0
I don't see a clean way to reliably do this this without changing the API, so this will have to be pushed out to 1.9. The canDelete method is the solution. If someone has an idea, please comment and reopen.
comment:7 Changed 12 months ago by Brett Profitt
Refs #2139. Checking in pages delete action for owner / admin
Changeset: a198fe67109af23a398f8a152d693074dc041396
comment:8 Changed 11 months ago by sembrestels
- Resolution set to Closed
- Status changed from new to closed
comment:9 Changed 11 months ago by sembrestels
- Resolution Closed deleted
- Status changed from closed to reopened
Sorry, I was confused, I thought it was closed.
Another option is to add a canDelete method