Admin or space admin can delete arbitrary content (#276 #282)

2025-01-17 22:28:51 +01:00 · 2014-10-22 12:28:07 +02:00 · 2014-10-22 12:28:07 +02:00 · 15664dc5a6
commit 15664dc5a6
parent c9e93b1248
3 changed files with 61 additions and 27 deletions
--- a/protected/models/Content.php
+++ b/protected/models/Content.php
@ -285,14 +285,19 @@ class Content extends CActiveRecord
    public function canDelete($userId = "")
    {

-        if (HSetting::Get('canAdminAlwaysDeleteContent', 'security') == 1 && Yii::app()->user->isAdmin())
-            return true;
-
        if ($userId == "")
            $userId = Yii::app()->user->id;

        if ($this->created_by == $userId)
            return true;
+        
+        if (Yii::app()->user->isAdmin()) {
+            return true;
+        }
+
+        if ($this->container instanceof Space && $this->container->isAdmin($userId)) {
+            return true;
+        }

        return false;
    }
--- a/protected/modules_core/comment/models/Comment.php
+++ b/protected/modules_core/comment/models/Comment.php
@ -172,4 +172,24 @@ class Comment extends HActiveRecordContentAddon
        return Yii::t('CommentModule.models_comment', 'Comment') . " \"" . Helpers::truncateText($this->message, 40) . "\"";
    }

+    public function canDelete($userId = "")
+    {
+
+        if ($userId == "")
+            $userId = Yii::app()->user->id;
+
+        if ($this->created_by == $userId)
+            return true;
+
+        if (Yii::app()->user->isAdmin()) {
+            return true;
+        }
+
+        if ($this->content->container instanceof Space && $this->content->container->isAdmin($userId)) {
+            return true;
+        }
+
+        return false;
+    }
+
 }
--- a/protected/modules_core/comment/widgets/views/showComment.php
+++ b/protected/modules_core/comment/widgets/views/showComment.php
@ -9,40 +9,49 @@
 * @since 0.5
 */
 ?>
+<?php
+$canWrite = $comment->canWrite();
+$canDelete = $comment->canDelete();
+?>

 <div class="media" id="comment_<?php echo $comment->id; ?>">
-    <?php if ($comment->canDelete()) : ?>
+    <?php if ($canWrite || $canDelete) : ?>

        <ul class="nav nav-pills preferences">
            <li class="dropdown ">
                <a class="dropdown-toggle" data-toggle="dropdown" href="#"><i class="fa fa-angle-down"></i></a>

                <ul class="dropdown-menu pull-right">
-                    <li>
-                        <?php
-                        echo HHtml::ajaxLink('<i class="fa fa-pencil"></i> Edit', Yii::app()->createAbsoluteUrl('//comment/comment/edit', array('id' => $comment->id)), array(
-                            'success' => "js:function(html){ $('.preferences .dropdown').removeClass('open'); $('#comment_editarea_" . $comment->id . "').replaceWith(html); $('#comment_input_" . $comment->id . "_contenteditable').focus(); }"
-                        ));
-                        ?>
-                    </li>
-                    <li>

-                        <!-- load modal confirm widget -->
-                        <?php
-                        $this->widget('application.widgets.ModalConfirmWidget', array(
-                            'uniqueID' => 'modal_commentdelete_' . $comment->id,
-                            'linkOutput' => 'a',
-                            'title' => Yii::t('CommentModule.widgets_views_showComment', '<strong>Confirm</strong> comment deleting'),
-                            'message' => Yii::t('CommentModule.widgets_views_showComment', 'Do you really want to delete this comment?'),
-                            'buttonTrue' => Yii::t('CommentModule.widgets_views_showComment', 'Delete'),
-                            'buttonFalse' => Yii::t('CommentModule.widgets_views_showComment', 'Cancel'),
-                            'linkContent' => '<i class="fa fa-trash-o"></i> ' . Yii::t('CommentModule.widgets_views_showComment', 'Delete'),
-                            'linkHref' => $this->createUrl("//comment/comment/delete", array('model' => $comment->object_model, 'id' => $comment->object_id, 'cid' => $comment->id)),
-                            'confirmJS' => "function(html) { $('#comments_area_" . $comment->object_model . "_" . $comment->object_id . "').html(html); }"
-                        ));
-                        ?>
+                    <?php if ($canWrite): ?>
+                        <li>
+                            <?php
+                            echo HHtml::ajaxLink('<i class="fa fa-pencil"></i> Edit', Yii::app()->createAbsoluteUrl('//comment/comment/edit', array('id' => $comment->id)), array(
+                                'success' => "js:function(html){ $('.preferences .dropdown').removeClass('open'); $('#comment_editarea_" . $comment->id . "').replaceWith(html); $('#comment_input_" . $comment->id . "_contenteditable').focus(); }"
+                            ));
+                            ?>
+                        </li>
+                    <?php endif; ?>

-                    </li>
+                    <?php if ($canDelete): ?>
+                        <li>
+
+                            <!-- load modal confirm widget -->
+                            <?php
+                            $this->widget('application.widgets.ModalConfirmWidget', array(
+                                'uniqueID' => 'modal_commentdelete_' . $comment->id,
+                                'linkOutput' => 'a',
+                                'title' => Yii::t('CommentModule.widgets_views_showComment', '<strong>Confirm</strong> comment deleting'),
+                                'message' => Yii::t('CommentModule.widgets_views_showComment', 'Do you really want to delete this comment?'),
+                                'buttonTrue' => Yii::t('CommentModule.widgets_views_showComment', 'Delete'),
+                                'buttonFalse' => Yii::t('CommentModule.widgets_views_showComment', 'Cancel'),
+                                'linkContent' => '<i class="fa fa-trash-o"></i> ' . Yii::t('CommentModule.widgets_views_showComment', 'Delete'),
+                                'linkHref' => $this->createUrl("//comment/comment/delete", array('model' => $comment->object_model, 'id' => $comment->object_id, 'cid' => $comment->id)),
+                                'confirmJS' => "function(html) { $('#comments_area_" . $comment->object_model . "_" . $comment->object_id . "').html(html); }"
+                            ));
+                            ?>
+                        </li>
+                    <?php endif; ?>
                </ul>
            </li>
        </ul>