I think there’s a logic bug in the v3 comment moderation code (might not be an issue in v4, but I can’t upgrade yet because addons).
On line 3167 of mod.comments.php, the system tries to determine if the currently logged in user has permission to moderate and/or edit the current comment:
if (ee('Permission')->has('can_edit_all_comments')
OR (ee('Permission')->has('can_edit_own_comments')
&& $query->row('entry_author_id') == ee()->session->userdata['member_id']))
{
$can_edit = TRUE;
$can_moderate = TRUE;
}
So, the code is checking if:
I think this is a bug because the code should be checking if the COMMENT was authored by this user, not the ENTRY.
If a user comments on any article, and the permissions system specifies that members of the group they belong to are allowed to edit their own comments, shouldn’t they be able to edit those comments regardless of who authored the entry they commented on?
Why does the author of the entry have anything to do with whether the currently logged in user is able to edit his/her own comments if the permissions specifically say they are able to do that?
I think this line:
$query->row('entry_author_id') == ee()->session->userdata['member_id']
should be changed to
$query->row('author_id') == ee()->session->userdata['member_id']
so that the system is checking the author of the comment itself, not the entry.
Packet Tide owns and develops ExpressionEngine. © Packet Tide, All Rights Reserved.