external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move permission for LIST_COMMENTS to dev/tu block

Browse source 
In commit 3578e77ad4 we implemented
listing of comments from the account details page , but this was
intended to only be available to TUs and Devs. As the comment says:
"display the comment list if they're a TU/dev"

The credential checking code, however, set this credential for all
users, contrary to the intention of the commit.

In order to preserve the ability to list a person's own comments, also
declare the allowed uids based on the profile being viewed.
This commit is contained in:
Eli Schwartz 2019-08-18 03:17:05 -04:00
parent 7f008b0bc4
commit 3ac958ac01
No known key found for this signature in database
GPG key ID: CEB167EFB5722BD6
3 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
web/lib/credentials.inc.php
View file

@ -49,7 +49,6 @@ function has_credential($credential, $approved_users=array()) {
$atype = account_from_sid($_COOKIE['AURSID']);
switch ($credential) {
case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_PKGBASE_FLAG:
case CRED_PKGBASE_NOTIFY:
case CRED_PKGBASE_VOTE:
@ -60,6 +59,7 @@ function has_credential($credential, $approved_users=array()) {
case CRED_ACCOUNT_CHANGE_TYPE:
case CRED_ACCOUNT_EDIT:
case CRED_ACCOUNT_LAST_LOGIN:
case CRED_ACCOUNT_LIST_COMMENTS:
case CRED_ACCOUNT_SEARCH:
case CRED_COMMENT_DELETE:
case CRED_COMMENT_UNDELETE: