V3 Comment Moderation Logic Bug
Development and Programming
I think there’s a logic bug in the v3 comment moderation code (might not be an issue in v4, but I can’t upgrade yet because addons).
On line 3167 of mod.comments.php, the system tries to determine if the currently logged in user has permission to moderate and/or edit the current comment:
if (ee('Permission')->has('can_edit_all_comments')
OR (ee('Permission')->has('can_edit_own_comments')
&& $query->row('entry_author_id') == ee()->session->userdata['member_id']))
{
$can_edit = TRUE;
$can_moderate = TRUE;
}So, the code is checking if:
- The current user has permission to edit ALL comments OR
- The current user can edit his/her OWN comments AND the current ENTRY was authored by this user.
I think this is a bug because the code should be checking if the COMMENT was authored by this user, not the ENTRY.
If a user comments on any article, and the permissions system specifies that members of the group they belong to are allowed to edit their own comments, shouldn’t they be able to edit those comments regardless of who authored the entry they commented on?
Why does the author of the entry have anything to do with whether the currently logged in user is able to edit his/her own comments if the permissions specifically say they are able to do that?
I think this line:
$query->row('entry_author_id') == ee()->session->userdata['member_id']should be changed to
$query->row('author_id') == ee()->session->userdata['member_id']so that the system is checking the author of the comment itself, not the entry.