Commit 1fe0319b authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Fix for bypassing moderation when making comment public (Bug #1171310)

To get a private -> public comment moderated the system needs to check:
* if the view has approvecomments set to 1
* if the submitter has checked the make public checkbox
* if the submitter is not the owner of the view
* if the view is a group view
* if the approvecomments are set per view

And update the comment table accordingly and now sends off notify
message if needed.

Removed some unneeded variable declarations

Change-Id: I276c3d3fa67a99d9030d10a6172048c255e91b5b
Signed-off-by: Robert Lyon's avatarrobertl <robertl@catalyst.net.nz>
parent 0f2552c7
......@@ -110,13 +110,27 @@ $form = pieform(array(
));
function edit_comment_submit(Pieform $form, $values) {
global $viewid, $comment, $SESSION, $goto;
global $viewid, $comment, $SESSION, $goto, $USER;
db_begin();
$comment->set('description', $values['message']);
$comment->set('rating', valid_rating($values['rating']));
$comment->set('private', 1 - (int) $values['ispublic']);
require_once(get_config('libroot') . 'view.php');
$view = new View($viewid);
$owner = $view->get('owner');
$group = $comment->get('group');
$approvecomments = $view->get('approvecomments');
if (!empty($group) && ($approvecomments || (!$approvecomments && $view->user_comments_allowed($USER) == 'private')) && $values['ispublic'] && !$USER->can_edit_view($view)) {
$comment->set('requestpublic', 'author');
}
else if (($approvecomments || (!$approvecomments && $view->user_comments_allowed($USER) == 'private')) && $values['ispublic'] && (!empty($owner) && $owner != $comment->get('author'))) {
$comment->set('requestpublic', 'author');
}
else {
$comment->set('private', 1 - (int) $values['ispublic']);
$comment->set('requestpublic', null);
}
$comment->commit();
require_once('activity.php');
......@@ -126,6 +140,15 @@ function edit_comment_submit(Pieform $form, $values) {
);
activity_occurred('feedback', $data, 'artefact', 'comment');
if ($comment->get('requestpublic') == 'author') {
if (!empty($owner)) {
edit_comment_notify($view, $comment->get('author'), $owner);
}
else if (!empty($group)) {
$group_admins = group_get_admin_ids($group);
// TO DO: need to notify the group admins bug #1197197
}
}
db_commit();
......@@ -133,6 +156,37 @@ function edit_comment_submit(Pieform $form, $values) {
redirect($goto);
}
function edit_comment_notify($view, $author, $owner) {
global $comment, $SESSION;
$data = (object) array(
'subject' => false,
'message' => false,
'strings' => (object) array(
'subject' => (object) array(
'key' => 'makepublicrequestsubject',
'section' => 'artefact.comment',
'args' => array(),
),
'message' => (object) array(
'key' => 'makepublicrequestbyauthormessage',
'section' => 'artefact.comment',
'args' => array(hsc(display_name($author, $owner))),
),
'urltext' => (object) array(
'key' => 'Comment',
'section' => 'artefact.comment',
),
),
'users' => array($owner),
'url' => $comment->get_view_url($view->get('id'), true, false),
);
if (!empty($owner)) {
$SESSION->add_ok_msg(get_string('makepublicrequestsent', 'artefact.comment', display_name($owner)));
}
activity_occurred('maharamessage', $data);
}
$stylesheets = array('style/jquery.rating.css');
$smarty = smarty(array('jquery.rating'), array(), array(), array('stylesheets' => $stylesheets));
$smarty->assign('PAGEHEADING', TITLE);
......
......@@ -339,7 +339,7 @@ class ArtefactTypeComment extends ArtefactType {
$comments = get_records_sql_assoc('
SELECT
a.id, a.author, a.authorname, a.ctime, a.mtime, a.description,
a.id, a.author, a.authorname, a.ctime, a.mtime, a.description, a.group,
c.private, c.deletedby, c.requestpublic, c.rating,
u.username, u.firstname, u.lastname, u.preferredname, u.email, u.staff, u.admin,
u.deleted, u.profileicon, u.urlid
......@@ -468,7 +468,7 @@ class ArtefactTypeComment extends ArtefactType {
// private comment be made public
if (!$item->deletedby && $item->private && $item->author && $data->owner
&& ($item->isauthor || $data->isowner)) {
if (empty($item->requestpublic)
if ((empty($item->requestpublic) && $data->isowner)
|| $item->isauthor && $item->requestpublic == 'owner'
|| $data->isowner && $item->requestpublic == 'author') {
$item->makepublicform = pieform(self::make_public_form($item->id));
......@@ -482,6 +482,21 @@ class ArtefactTypeComment extends ArtefactType {
&& $data->owner && $data->isowner && $item->requestpublic == 'author') {
$item->makepublicform = pieform(self::make_public_form($item->id));
}
else if (!$item->deletedby && $item->private && !$data->owner
&& $item->group && $item->requestpublic == 'author') {
// no owner as comment is on a group view / artefact
if ($item->isauthor) {
$item->makepublicrequested = 1;
}
else {
if (($data->artefact && $data->canedit) || ($data->view && $data->canedit)) {
$item->makepublicform = pieform(self::make_public_form($item->id));
}
else {
$item->makepublicrequested = 1;
}
}
}
if ($item->author) {
if (isset($authors[$item->author])) {
......@@ -749,8 +764,25 @@ function make_public_validate(Pieform $form, $values) {
$author = $comment->get('author');
$owner = $comment->get('owner');
$requester = $USER->get('id');
$group = $comment->get('group');
if (!$owner || !$requester || ($requester != $owner && $requester != $author)) {
if (!$owner && !$group) {
$form->set_error('comment', get_string('makepublicnotallowed', 'artefact.comment'));
}
else if (!$owner && $group) {
if ($requester) {
$allowed = false;
// check to see if the requester is a group admin
$group_admins = group_get_admin_ids($group);
if (array_search($requester,$group_admins) === false) {
$form->set_error('comment', get_string('makepublicnotallowed', 'artefact.comment'));
}
}
else {
$form->set_error('comment', get_string('makepublicnotallowed', 'artefact.comment'));
}
}
else if (!$owner || !$requester || ($requester != $owner && $requester != $author)) {
$form->set_error('comment', get_string('makepublicnotallowed', 'artefact.comment'));
}
}
......@@ -765,10 +797,16 @@ function make_public_submit(Pieform $form, $values) {
$author = $comment->get('author');
$owner = $comment->get('owner');
$groupid = $comment->get('group');
$group_admins = array();
if ($groupid) {
$group_admins = group_get_admin_ids($groupid);
}
$requester = $USER->get('id');
if (($author == $owner && $requester == $owner)
|| ($requester == $owner && $comment->get('requestpublic') == 'author')
|| (array_search($requester,$group_admins) !== false && $comment->get('requestpublic') == 'author')
|| ($requester == $author && $comment->get('requestpublic') == 'owner')) {
$comment->set('private', 0);
$comment->set('requestpublic', null);
......@@ -792,6 +830,13 @@ function make_public_submit(Pieform $form, $values) {
$userid = $owner;
$sessionmessage = get_string('makepublicrequestsent', 'artefact.comment', display_name($owner));
}
else if (array_search($requester,$group_admins) !== false) {
$comment->set('requestpublic', 'owner');
$message = 'makepublicrequestbyownermessage';
$arg = display_name($requester, $author);
$userid = $author;
$sessionmessage = get_string('makepublicrequestsent', 'artefact.comment', display_name($author));
}
else {
redirect($url); // Freak out?
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment