An anonymous user can delete EVERY anonymous commment

[raetsche]

Hi there,

this problem/feature request was already mentioned some time ago.
http://forum.coppermine-gallery.net/index.php?topic=2270&highlight=comments+delete

But there haven't been posted any answers yet, because it was posted in a closed forum.
The problem is that anonymous users can delete any comment different anonymous users have posted before! So p.e. if i read an anonymous post, i don't like, i can delete it without problems.
It would be a solution to allow anonymous users only to create comments but NOT to delete comments. Only the Administrator should be able to delete anonymous comments.

Has anybody an idea how to solve this problem or is already something in work?

Nice greetings

[Nibbler]

I was unable to replicate this problem, but if you open displayimage.php and change:

Code Select Expand


$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS) || (!USER_ID && USER_CAN_POST_COMMENTS && ($USER['ID'] == $row['author_md5_id']));


to:

Code Select Expand


$user_can_edit = (GALLERY_ADMIN_MODE) || (USER_ID && USER_ID == $row['author_id'] && USER_CAN_POST_COMMENTS);


which will stop any anonymous user being given the option to delete/edit

and if you want to be extra safe, comment out this line:

Code Select Expand


$update = db_query("UPDATE {$CONFIG['TABLE_COMMENTS']} SET msg_body='$msg_body' WHERE msg_id='$msg_id' AND author_md5_id ='{$USER['ID']}' AND author_id = '0' LIMIT 1");


from db_input.php to actually remove that ability from them.

[raetsche]

Thanks for the answer, but now i know why you couldn't replicate the problem. The ability to delete posts is based on the writers IP-address. I am testing here on a local system and the IP-address is always 127.0.0.1 so i can delete every anonymous comment...

Anyway, maybe the post is helpful for other people testing on a local system ;-)