Commit 0fad496c authored by Gerhard Killesreiter's avatar Gerhard Killesreiter

#55622, Security threat -- any user can delete comments, patch by robertgarrigos

parent 717d6e30
......@@ -120,12 +120,13 @@ function comment_menu($may_cache) {
$items[] = array('path' => 'admin/comment/configure/settings', 'title' => t('settings'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
$access = user_access('post comments');
$items[] = array('path' => 'comment/edit', 'title' => t('edit comment'),
'callback' => 'comment_edit', 'access' => $access, 'type' => MENU_CALLBACK);
$items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
}
else {
if (arg(0) == 'comment' && arg(1) == 'reply' && is_numeric(arg(2))) {
......
......@@ -120,12 +120,13 @@ function comment_menu($may_cache) {
$items[] = array('path' => 'admin/comment/configure/settings', 'title' => t('settings'),
'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
$items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
$access = user_access('post comments');
$items[] = array('path' => 'comment/edit', 'title' => t('edit comment'),
'callback' => 'comment_edit', 'access' => $access, 'type' => MENU_CALLBACK);
$items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
}
else {
if (arg(0) == 'comment' && arg(1) == 'reply' && is_numeric(arg(2))) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment