Page 1 of 1
Moderation link has expired?
Posted: Wed Feb 29, 2012 7:26 am
by chris_goe
Hi,
for some time now I noticed that whenever I got an email notifying me about a new comment to be moderated by me, clicking the "Approve comment" URL (the one with the comment_token) always gives:
Code: Select all
Moderation link has expired or comment #123 has already been approved or deleted
Then I have to login to the blog and have to manually approve the comment.
This worked before and I noticed that it stopped working after some s9y update. I git-bisect'ed this to the following commit:
Code: Select all
commit 0fd5541e51a174f35182be2896118c9ba7784016
Author: Grischa Brockhaus <github@brockha.us>
Date: Sat Dec 31 13:28:16 2011 +0100
serendipity_approveComment:
Only allow the user to approve a comment, if
he owns the article or has adminEntriesMaintainOthers (or forced is
true). Please check this fix, if it is okay and redo if not.
When git-revert'ing this one commit, the "Approve comment" URLs are working again. Maybe someone knows a better way to fix whatever has been fixed with this commit w/o breaking the one-click-approve URLs?
Thanks,
C.
Re: Moderation link has expired?
Posted: Wed Feb 29, 2012 11:33 am
by blog.brockha.us
Hi Chris.
Good catch, thanks for this report!
But no matter what I try, I am not able to reproduce this problem. When I approve a comment added to an article written by me, everything works w/o problem on my blog.
Can you tell me a little more about your "blog situation"? Is it a multi writer blog? Are writers allowed to change articles of others? Are you approving a comment added to an article written by another writer and didn't allow that perhaps?
Is it working for you, if you change this:
Code: Select all
// Check for adminEntriesMaintainOthers
if (!$force && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
return false; // wrong user having no adminEntriesMaintainOthers right
}
to this:
Code: Select all
// Check for adminEntriesMaintainOthers
if (!$force && !$token && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
return false; // wrong user having no adminEntriesMaintainOthers right
}
(added !$token to the if clause)
Re: Moderation link has expired?
Posted: Wed Feb 29, 2012 4:38 pm
by garvinhicking
Hi Grischa!
Maybe you have the "auto-login" feature enabled, so everytime you visit your blog you are auto-authenticated, and chris is maybe not using this autologn?
In that case I think, the approval in fact really needs to work without being logged in, and only depend on a valid token... (which is the intention of that token feature in first instance, to not require logging in to perform the moderation approval)
Regards,
Garvin
Re: Moderation link has expired?
Posted: Thu Mar 01, 2012 2:55 am
by chris_goe
Hi,
yes, as Garvin noted, I'm not logged in to the blog when approving the comment with the tokenURL.
And Grischa is spot on, adding !$token to the condition helps. Now I'm mad at myself for not having this debugged myself, d'oh...
Thanks for the quick help!
Christian.
Code: Select all
diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 0d5615a..3839f04 100644
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -658,7 +658,7 @@ function serendipity_approveComment($cid, $entry_id, $force = false, $moderate =
$rs = serendipity_db_query($sql, true);
// Check for adminEntriesMaintainOthers
- if (!$force && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
+ if (!$force && !$token && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
return false; // wrong user having no adminEntriesMaintainOthers right
}
Re: Moderation link has expired?
Posted: Thu Mar 01, 2012 3:34 am
by blog.brockha.us
@garvin: Well, I tested with autologin enabled and disabled, both worked in my case.
@christian: Thanks for testing. I was already thinking about that being the problem (although there was no problem in my case with that). Good that we found that.
Re: Moderation link has expired?
Posted: Thu Mar 01, 2012 9:42 am
by garvinhicking
Hi!
Great work guys! Thanks!
Regards,
Garvin
Re: Moderation link has expired?
Posted: Thu Mar 01, 2012 3:05 pm
by blog.brockha.us
Ian reported a better fix: instead of !$token use !$goodtoken. So this only works, if the token was accepted.
Garvin: What do you think, should we backport this check to 1.6? I'm not sure atm..
Re: Moderation link has expired?
Posted: Thu Mar 01, 2012 5:06 pm
by garvinhicking
Hi!
I wouldn't backport this to 1.6, IMHO it might have some more sideffects and does not fix anything REAL important that would be required within a 1.6 maintenance release, IMHO.
Regards,
Garvin