Changeset 5650

Timestamp:

07/11/2017 09:05:57 PM (6 years ago)

Author:

SergeyBiryukov

Message:

Support Forums, User Notes: Limit note editing and deletion:

• Only keymasters or the note author can edit a note.
• Only keymasters can delete a note.

See #2272.

File:

• sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-user-notes.php (modified) (8 diffs)

sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-user-notes.php

@@ -4 +4 @@
 
 class User_Notes {
-
-    /**
-     * An array of authors who have written notes.
-     *
-     * These are stored to avoid looking up user IDs for every note.
-     *
-     * @access private
-     *
-     * @var array $moderators
-     */
-    private $moderators = array();
 
     /**
@@ -104 +93 @@
             );
         } else {
+            // Only keymasters or the note author can edit a note.
+            if (
+                ! current_user_can( 'keep_gate' )
+            &&
+                $user_notes[ $note_id ]->moderator !== wp_get_current_user()->user_nicename
+            ) {
+                return;
+            }
+
             // Save new text for an existing note.
             $user_notes[ $note_id ]->text = $note_text;
@@ -127 +125 @@
      */
     function delete_user_note( $action = '' ) {
-        if ( 'wporg_bbp_delete_user_note' !== $action || ! current_user_can( 'moderate' ) ) {
+        if ( 'wporg_bbp_delete_user_note' !== $action || ! current_user_can( 'keep_gate' ) ) {
             return;
         }
@@ -259 +257 @@
 
         foreach ( $user_notes as $key => $note ) {
-            $moderator = $note->moderator;
-
-            if ( ! isset( $this->moderators[ $moderator ] ) ) {
-                $this->moderators[ $moderator ] = $moderator;
-            }
-
             $post_site_id       = isset( $note->site_id ) ? (int) $note->site_id : get_current_blog_id();
             $post_permalink     = $this->get_user_note_post_permalink( $note->post_id, $user_id, $post_site_id );
@@ -273 +265 @@
                 'author' => sprintf( __( 'By %1$s on <a href="%2$s">%3$s at %4$s</a>', 'wporg-forums' ),
                     sprintf( '<a href="%s">%s</a>',
-                        esc_url( get_home_url( $post_site_id, "/users/$moderator/" ) ),
-                        $moderator
+                        esc_url( get_home_url( $post_site_id, "/users/{$note->moderator}/" ) ),
+                        $note->moderator
                     ),
                     esc_url( $post_permalink ),
@@ -284 +276 @@
             );
 
-            if ( $post_site_id == get_current_blog_id() ) {
-
+            // Only keymasters or the note author can edit a note.
+            if (
+                current_user_can( 'keep_gate' ) && $post_site_id == get_current_blog_id()
+            ||
+                $note->moderator === wp_get_current_user()->user_nicename
+            ) {
                 $note_meta['edit'] = sprintf( '<a href="%s">%s</a>',
                     esc_url(
@@ -296 +292 @@
                     __( 'Edit', 'wporg-forums' )
                 );
-
+            }
+
+            // Only keymasters can delete a note.
+            if ( current_user_can( 'keep_gate' ) && $post_site_id == get_current_blog_id() ) {
                 $note_meta['delete'] = sprintf( '<a href="%s">%s</a>',
                     esc_url( wp_nonce_url(
@@ -308 +307 @@
                     __( 'Delete', 'wporg-forums' )
                 );
-
             }