Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Users unable to delete their own comments [RESOLVED]
eythian
New
I'm running 2.5.1 (this also happened in 2.5.)
I have conf/config.php:$Configuration['Vanilla']['Comments']['AllowSelfDelete'] = true;
set.
Users have the option to delete their own comments, they can access this function through the gear wheel on their posts. However, when they try to, the following happens:
- a confirmation dialogue pops up, I click Okay
- a lightbox with a "processing" sort of animation appears
- a message appears in the bottom-left saying: "You don't have permission to do that" with a little lightbulb icon
- the modal lightbox doesn't disappear, requiring the page to be reloaded to do anything again.
0
Comments
Please check the JavaScript console if any error occurs
There are no javascript errors. This doesn't surprise me, as it works for admin users.
It does make me think of something else however.
The request issued is:
https://example.com/forum/discussion/deletecomment/88196/[random string]/?Target=/discussion/1693/x&DeliveryType=BOOL&DeliveryMethod=JSON
and the server responds with:This suggests to me that the auth check on the server side is most likely broken.
I've taken a look at the source and I'm sure you have found a bug. Do you want to report it yourself on GitHub?
Makes no sense to let you do that since I already invested the time to look at the code. I'll file an issue.
Oh, it is already known... https://github.com/vanilla/vanilla/issues/5867
Ah, thanks for finding that!
The fix is quite simple if you can't wait for it being implemented and you know what you are doing: https://github.com/vanilla/vanilla/pull/6782/files
That works a treat, thanks.
I've left some more information in the pull request and the issue on github about this. The initial proposed represents a potential security hole, as it would allow a user to delete any content of theirs, by-passing the timeout set in the config.
I think @R_J isn't allowed to claim he isn't a developer anymore.
@eythian there is a slightly more complicated solution now which also handles the problem charrondev has mentioned. Based on your skills you can implement the changes, maybe it is even possible to use some git magic to get this to your installation.
Thanks, though in the spirit of "don't touch what isn't broken", I'll probably leave the current solution. The issue where timeouts don't apply to the deletion doesn't apply to my installation anyway.
I'm glad that the initial solution worked for you, but we would not have been able to accept it into our product due the issue I had described. The new fix that @R_J provided has been merged and will be part of the upcoming v2.6 release though, so after that release you should be able to remove you're temporary fix.