HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Users unable to delete their own comments [RESOLVED]

eythianeythian New
edited March 2018 in Vanilla 2.0 - 2.8

I'm running 2.5.1 (this also happened in 2.5.)

I have conf/config.php:$Configuration['Vanilla']['Comments']['AllowSelfDelete'] = true; set.

Users have the option to delete their own comments, they can access this function through the gear wheel on their posts. However, when they try to, the following happens:

  1. a confirmation dialogue pops up, I click Okay
  2. a lightbox with a "processing" sort of animation appears
  3. a message appears in the bottom-left saying: "You don't have permission to do that" with a little lightbulb icon
  4. the modal lightbox doesn't disappear, requiring the page to be reloaded to do anything again.

Comments

  • R_JR_J Ex-Fanboy Munich Admin

    Please check the JavaScript console if any error occurs


  • There are no javascript errors. This doesn't surprise me, as it works for admin users.

    It does make me think of something else however.

    The request issued is: https://example.com/forum/discussion/deletecomment/88196/[random string]/?Target=/discussion/1693/x&DeliveryType=BOOL&DeliveryMethod=JSON and the server responds with:

    {
        "Code": 403,
        "Exception": "You don't have permission to do that.",
        "Class": "Gdn_UserException"
    }
    

    This suggests to me that the auth check on the server side is most likely broken.

  • R_JR_J Ex-Fanboy Munich Admin
    edited March 2018

    I've taken a look at the source and I'm sure you have found a bug. Do you want to report it yourself on GitHub?

    Makes no sense to let you do that since I already invested the time to look at the code. I'll file an issue.


  • R_JR_J Ex-Fanboy Munich Admin


  • Ah, thanks for finding that!

  • R_JR_J Ex-Fanboy Munich Admin

    The fix is quite simple if you can't wait for it being implemented and you know what you are doing: https://github.com/vanilla/vanilla/pull/6782/files


  • That works a treat, thanks.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    I've left some more information in the pull request and the issue on github about this. The initial proposed represents a potential security hole, as it would allow a user to delete any content of theirs, by-passing the timeout set in the config.

  • LincLinc Detroit Admin

    I think @R_J isn't allowed to claim he isn't a developer anymore. :chuffed:

    whu606R_J
  • R_JR_J Ex-Fanboy Munich Admin

    @eythian there is a slightly more complicated solution now which also handles the problem charrondev has mentioned. Based on your skills you can implement the changes, maybe it is even possible to use some git magic to get this to your installation.


  • Thanks, though in the spirit of "don't touch what isn't broken", I'll probably leave the current solution. The issue where timeouts don't apply to the deletion doesn't apply to my installation anyway.

  • charrondevcharrondev Developer Lead (PHP, JS) Montreal Vanilla Staff

    I'm glad that the initial solution worked for you, but we would not have been able to accept it into our product due the issue I had described. The new fix that @R_J provided has been merged and will be part of the upcoming v2.6 release though, so after that release you should be able to remove you're temporary fix.

Sign In or Register to comment.