-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
QUESTION/BUG: Edit comment/reply - no authorization, anyone can edit anyones content #125
Comments
If it's a socket msg the Auth will be same as the Auth on pad socket MSG's. In theory.... |
@JohnMcLear IF that is the only layer, then this authorization says "you can edit this pad". that also means you can edit anyones comment/reply, it does not verify the comment/reply you are editing is created by you, thus are authorized to edit. |
Yeah I'd guess that's the case then. Welcome to see this change with tests! |
Thanks for the info. Any quick ideas how you would approach? |
Check comment.authorID matches authorID of the socket trying to make the change. Shouldn't be too hard to accomplish. I'm sure there will be gotchas tho ;) |
@tiblu what's your status? 🥇 |
Unfortunately no change and no ETA. I haven't done any software development for a while and not sure when I'm back at it. Sorry, thats the way it is. |
@tiblu no problem man, I totally know how that goes 👍 |
FWIW @rhansen has fixed this now afaik, or at least some progress has been made, I will let him update :) |
Nope, not fixed yet—I've been distracted doing other stuff. I hope to work on this next week. |
There are a few different ways we could address this, so I would like to get some input from everyone. This is the behavior I would prefer to implement because it's the easiest:
There are some drawbacks with the above permission model:
With strategically placed hooks, people should be able to write plugins that address the above issues. But until those plugins are written, some users will consider the comments plugin to be broken for their use case. Thoughts? |
cc @tiblu for for thoughts :) |
@rhansen @JohnMcLear @tiblu this is how I solved it, sorry for no pull request, haven' t had the time to do it as our fork has other changes too https://github.com/citizenos/ep_comments/commit/d5c1bf1c80f81812656940e8e3b696ad879684f3 |
I think this behavior would work for us (Citizen OS). Also, in @ilmartyrk I trust (#125 (comment)). And thanks to all for the input! |
To be honest I would also hide the edit and delete button when the user has no access. |
@woeterman94 Few approaches come to mind:
In context of EP, either of these would work. |
I would go for option 2, but perform a check in the backend. |
Hello everyone and @ilmartyrk, As @rhansen mentionned :
And more importantly :
Since #163, users have reported that they cannot remove or edit other's comments, which is part of their usual workflow. Would it be possible to use a configuration parameter to enable or disable this behaviour ? It don't see a "good reason" to disable editing/remove other's comment in all situations. Unfortunately, I don't really have time nor skills to code that, so I would totally understand if you do not have time to "fix" it. |
A comment and a session are both linked to an authorId right?
Don't know. I think by default it shouldn't be allowed.
I'd suggest you don't upgrade and use the previous version which allows it? |
I think so, the point is that if you delete your cookies for whatever reason or use a different computer/browser, the comments have no way to get deleted, and some users will periodically purge cookies from their browser.
I agree. The problem is more the sudden behaviour switch. Our instance being active for more than 2 years and used mostly by project groups and associations, the workflow with comments is often :
As a temporary fix, yes, but next versions will get bugfixes, etc. I apologize if I sounded disrespectful in any way. My point is just that being able to edit and remove other's comment is a realistic and common features for a lot of workflows, and that it should be configurable with a plugin parameter. |
Question
Do I understand correctly that there is no authorization for editing comment/reply? That is, anyone can edit anyones comment/reply?
https://github.com/ether/ep_comments/blob/master/commentManager.js#L272
IF that is true, any suggestions how to approach this, we'd be interested in only original author being able to edit comment/reply.
We MAY PR this.
Related to:
The text was updated successfully, but these errors were encountered: