Making WordPress.org


Ignore:
Timestamp:
07/11/2017 09:05:57 PM (7 years ago)
Author:
SergeyBiryukov
Message:

Support Forums, User Notes: Limit note editing and deletion:

  • Only keymasters or the note author can edit a note.
  • Only keymasters can delete a note.

See #2272.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/plugins/support-forums/inc/class-user-notes.php

    r5649 r5650  
    44
    55class User_Notes {
    6 
    7     /**
    8      * An array of authors who have written notes.
    9      *
    10      * These are stored to avoid looking up user IDs for every note.
    11      *
    12      * @access private
    13      *
    14      * @var array $moderators
    15      */
    16     private $moderators = array();
    176
    187    /**
     
    10493            );
    10594        } else {
     95            // Only keymasters or the note author can edit a note.
     96            if (
     97                ! current_user_can( 'keep_gate' )
     98            &&
     99                $user_notes[ $note_id ]->moderator !== wp_get_current_user()->user_nicename
     100            ) {
     101                return;
     102            }
     103
    106104            // Save new text for an existing note.
    107105            $user_notes[ $note_id ]->text = $note_text;
     
    127125     */
    128126    function delete_user_note( $action = '' ) {
    129         if ( 'wporg_bbp_delete_user_note' !== $action || ! current_user_can( 'moderate' ) ) {
     127        if ( 'wporg_bbp_delete_user_note' !== $action || ! current_user_can( 'keep_gate' ) ) {
    130128            return;
    131129        }
     
    259257
    260258        foreach ( $user_notes as $key => $note ) {
    261             $moderator = $note->moderator;
    262 
    263             if ( ! isset( $this->moderators[ $moderator ] ) ) {
    264                 $this->moderators[ $moderator ] = $moderator;
    265             }
    266 
    267259            $post_site_id       = isset( $note->site_id ) ? (int) $note->site_id : get_current_blog_id();
    268260            $post_permalink     = $this->get_user_note_post_permalink( $note->post_id, $user_id, $post_site_id );
     
    273265                'author' => sprintf( __( 'By %1$s on <a href="%2$s">%3$s at %4$s</a>', 'wporg-forums' ),
    274266                    sprintf( '<a href="%s">%s</a>',
    275                         esc_url( get_home_url( $post_site_id, "/users/$moderator/" ) ),
    276                         $moderator
     267                        esc_url( get_home_url( $post_site_id, "/users/{$note->moderator}/" ) ),
     268                        $note->moderator
    277269                    ),
    278270                    esc_url( $post_permalink ),
     
    284276            );
    285277
    286             if ( $post_site_id == get_current_blog_id() ) {
    287 
     278            // Only keymasters or the note author can edit a note.
     279            if (
     280                current_user_can( 'keep_gate' ) && $post_site_id == get_current_blog_id()
     281            ||
     282                $note->moderator === wp_get_current_user()->user_nicename
     283            ) {
    288284                $note_meta['edit'] = sprintf( '<a href="%s">%s</a>',
    289285                    esc_url(
     
    296292                    __( 'Edit', 'wporg-forums' )
    297293                );
    298 
     294            }
     295
     296            // Only keymasters can delete a note.
     297            if ( current_user_can( 'keep_gate' ) && $post_site_id == get_current_blog_id() ) {
    299298                $note_meta['delete'] = sprintf( '<a href="%s">%s</a>',
    300299                    esc_url( wp_nonce_url(
     
    308307                    __( 'Delete', 'wporg-forums' )
    309308                );
    310 
    311309            }
    312310
Note: See TracChangeset for help on using the changeset viewer.