forum.coppermine-gallery.net

No Support => Feature requests => Topic started by: raetsche on January 28, 2004, 12:20:42 pm

Title: An anonymous user can delete EVERY anonymous commment
Post by: raetsche on January 28, 2004, 12:20:42 pm
Hi there,

this problem/feature request was already mentioned some time ago.
http://forum.coppermine-gallery.net/index.php?topic=2270&highlight=comments+delete

But there haven't been posted any answers yet, because it was posted in a closed forum.
The problem is that anonymous users can delete any comment different anonymous users have posted before! So p.e. if i read an anonymous post, i don't like, i can delete it without problems.
It would be a solution to allow anonymous users only to create comments but NOT to delete comments. Only the Administrator should be able to delete anonymous comments.

Has anybody an idea how to solve this problem or is already something in work?

Nice greetings
Title: An anonymous user can delete EVERY anonymous commment
Post by: Nibbler on January 28, 2004, 01:17:18 pm
I was unable to replicate this problem, but if you open displayimage.php and change:

Code: [Select]

$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS) || (!USER_ID && USER_CAN_POST_COMMENTS && ($USER['ID'] == $row['author_md5_id']));


to:

Code: [Select]

$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS);


which will stop any anonymous user being given the option to delete/edit

and if you want to be extra safe, comment out this line:

Code: [Select]

$update = db_query("UPDATE {$CONFIG['TABLE_COMMENTS']} SET msg_body='$msg_body' WHERE msg_id='$msg_id' AND author_md5_id ='{$USER['ID']}' AND author_id = '0' LIMIT 1");


from db_input.php to actually remove that ability from them.
Title: An anonymous user can delete EVERY anonymous commment
Post by: raetsche on January 28, 2004, 02:38:06 pm
Thanks for the answer, but now i know why you couldn't replicate the problem. The ability to delete posts is based on the writers IP-address. I am testing here on a local system and the IP-address is always 127.0.0.1 so i can delete every anonymous comment...

Anyway, maybe the post is helpful for other people testing on a local system ;-)