Serendipity Forums

Posted: **Wed Feb 29, 2012 7:26 am**

Hi,

for some time now I noticed that whenever I got an email notifying me about a new comment to be moderated by me, clicking the "Approve comment" URL (the one with the comment_token) always gives:

Code: Select all

Moderation link has expired or comment #123 has already been approved or deleted

Then I have to login to the blog and have to manually approve the comment.

This worked before and I noticed that it stopped working after some s9y update. I git-bisect'ed this to the following commit:

Code: Select all

commit 0fd5541e51a174f35182be2896118c9ba7784016
Author: Grischa Brockhaus <github@brockha.us>
Date:   Sat Dec 31 13:28:16 2011 +0100

    serendipity_approveComment:
    Only allow the user to approve a comment, if
    he owns the article or has adminEntriesMaintainOthers (or forced is
    true). Please check this fix, if it is okay and redo if not.

When git-revert'ing this one commit, the "Approve comment" URLs are working again. Maybe someone knows a better way to fix whatever has been fixed with this commit w/o breaking the one-click-approve URLs?

Thanks,
C.

Posted: **Wed Feb 29, 2012 11:33 am**

Hi Chris.

Good catch, thanks for this report!

But no matter what I try, I am not able to reproduce this problem. When I approve a comment added to an article written by me, everything works w/o problem on my blog.

Can you tell me a little more about your "blog situation"? Is it a multi writer blog? Are writers allowed to change articles of others? Are you approving a comment added to an article written by another writer and didn't allow that perhaps?

Is it working for you, if you change this:

Code: Select all

    // Check for adminEntriesMaintainOthers
    if (!$force && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
        return false; // wrong user having no adminEntriesMaintainOthers right
    }

to this:

Code: Select all

    // Check for adminEntriesMaintainOthers
    if (!$force && !$token && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
        return false; // wrong user having no adminEntriesMaintainOthers right
    }

(added !$token to the if clause)

Posted: **Wed Feb 29, 2012 4:38 pm**

Hi Grischa!

Maybe you have the "auto-login" feature enabled, so everytime you visit your blog you are auto-authenticated, and chris is maybe not using this autologn?

In that case I think, the approval in fact really needs to work without being logged in, and only depend on a valid token... (which is the intention of that token feature in first instance, to not require logging in to perform the moderation approval)

Regards,
Garvin

Posted: **Thu Mar 01, 2012 2:55 am**

Hi,

yes, as Garvin noted, I'm not logged in to the blog when approving the comment with the tokenURL.

And Grischa is spot on, adding !$token to the condition helps. Now I'm mad at myself for not having this debugged myself, d'oh...

Thanks for the quick help!

Christian.

Code: Select all

diff --git a/include/functions_comments.inc.php b/include/functions_comments.inc.php
index 0d5615a..3839f04 100644
--- a/include/functions_comments.inc.php
+++ b/include/functions_comments.inc.php
@@ -658,7 +658,7 @@ function serendipity_approveComment($cid, $entry_id, $force = false, $moderate =
     $rs  = serendipity_db_query($sql, true);
     
     // Check for adminEntriesMaintainOthers
-    if (!$force && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
+    if (!$force && !$token && $rs['entry_authorid'] != $serendipity['authorid'] && !serendipity_checkPermission('adminEntriesMaintainOthers')) {
         return false; // wrong user having no adminEntriesMaintainOthers right
     }

Posted: **Thu Mar 01, 2012 3:34 am**

@garvin: Well, I tested with autologin enabled and disabled, both worked in my case.

@christian: Thanks for testing. I was already thinking about that being the problem (although there was no problem in my case with that). Good that we found that.

Posted: **Thu Mar 01, 2012 9:42 am**

Hi!

Great work guys! Thanks!

Regards,
Garvin

Posted: **Thu Mar 01, 2012 3:05 pm**

Ian reported a better fix: instead of !$token use !$goodtoken. So this only works, if the token was accepted.

Garvin: What do you think, should we backport this check to 1.6? I'm not sure atm..

Posted: **Thu Mar 01, 2012 5:06 pm**

Hi!

I wouldn't backport this to 1.6, IMHO it might have some more sideffects and does not fix anything REAL important that would be required within a 1.6 maintenance release, IMHO.

Regards,
Garvin

Serendipity Forums

Moderation link has expired?

Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?

Re: Moderation link has expired?