#1461 Forum: Can't edit own topic starter without p_admin_forum

v1.8.2
closed-fixed
5
2004-05-27
2004-05-13
SeanH
No

It appears that a user cannot edit a forum post that he
just submitted (or the edit post control needs to be
hidden) and no error message is reported if comment
changes are submitted but fail to be saved to the db.

Steps:
1) Add a new topic to a forum;
2) When the list returns, select the topic to view the
comment you entered when creating the new topic;
3) To the right of the topic title is the "edit.gif"
icon indicating that you can edit the comment. Select it.;
4) Add some more text in the comment field of the form;
5) Select "post";
6) You are automagically returned to the topic list.
Select your topic again to view it;
7) The added text from step 4) is NOT there.

Upon examination, it seems that the edit.gif icon is
viewable for the user because he is the owner of that
particular thread. The template
"tiki-view_forum_thread.tpl" allows user's matching the
thread's userName to be exposed to the edit control:
{if $tiki_p_admin_forum eq 'y' or ($tiki_p_forum_post
eq 'y' and ($thread_info.userName == $user)) }
<a href="tiki-view_forum.php?[params removed for
readability]" class="admlink"><img
src='img/icons/edit.gif' border='0' alt='{tr}edit{/tr}'
title='{tr}edit{/tr}' /></a>
{/if}

This is fine but the controlling page for the form,
"tiki-view_forum.php" checks to see if a thread is
being edited and then only allows admins of that forum
to actually update the database with new comment
information:
1: if ($_REQUEST["comments_threadId"] == 0) {
2: /* ... */
3: } else {
4: if ($tiki_p_admin_forum == 'y') {
5:
$commentslib->update_comment($_REQUEST["comments_threadId"],
$_REQUEST["comments_title"], '',
($_REQUEST["comments_data"]),
$_REQUEST["comment_topictype"],
$_REQUEST['comment_topicsummary'],
$_REQUEST['comment_topicsmiley']);
6: /* ... */
7: }
8: }

If the comments_threadId is not equal to 0 (line 1:),
the user must have tiki_p_admin_forum permission to
submit the comment changes (4:). Failing these two
conditions, the script simply stops processing the
data. No message is returned that the data has been
received but is not being saved.

For myself, I added a check to see if the user is the
original author (thread's userName) and, if so, allow
the processing just as if the user had
tiki_p_admin_forum. I also added an else clause @ 7:
to throw an error message if processing is denied.

Discussion

    • summary: Forum: User can't edit own post --> Forum: Can't edit own topic starter without p_admin_forum
    • status: open --> open-fixed
     
  • Logged In: YES
    user_id=738765

    Thanks for the report, I fixed that for 1.8.3.

     
  • Oliver Hertel
    Oliver Hertel
    2004-05-27

    • assigned_to: nobody --> ohertel
     
  • Oliver Hertel
    Oliver Hertel
    2004-05-27

    • assigned_to: ohertel --> chealer
    • status: open-fixed --> closed-fixed