Comments: Added visibility check to comment delete

Aligns it with other actions/endpoints, and ensures an extra layer of
control against malicious use.

Thanks to mfk25 for reporting.
This commit is contained in:
Dan Brown
2026-07-01 10:20:32 +01:00
parent 01dc1e71c5
commit fe39b69c1f
2 changed files with 21 additions and 7 deletions

View File

@@ -59,8 +59,7 @@ class CommentController extends Controller
'html' => ['required', 'string'],
]);
$comment = $this->commentRepo->getById($commentId);
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
$comment = $this->commentRepo->getVisibleById($commentId);
$this->checkOwnablePermission(Permission::CommentUpdate, $comment);
$comment = $this->commentRepo->update($comment, $input['html']);
@@ -76,8 +75,7 @@ class CommentController extends Controller
*/
public function archive(int $id)
{
$comment = $this->commentRepo->getById($id);
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
$comment = $this->commentRepo->getVisibleById($id);
if (!userCan(Permission::CommentUpdate, $comment) && !userCan(Permission::CommentDelete, $comment)) {
$this->showPermissionError();
}
@@ -96,8 +94,7 @@ class CommentController extends Controller
*/
public function unarchive(int $id)
{
$comment = $this->commentRepo->getById($id);
$this->checkOwnablePermission(Permission::PageView, $comment->entity);
$comment = $this->commentRepo->getVisibleById($id);
if (!userCan(Permission::CommentUpdate, $comment) && !userCan(Permission::CommentDelete, $comment)) {
$this->showPermissionError();
}
@@ -116,7 +113,7 @@ class CommentController extends Controller
*/
public function destroy(int $id)
{
$comment = $this->commentRepo->getById($id);
$comment = $this->commentRepo->getVisibleById($id);
$this->checkOwnablePermission(Permission::CommentDelete, $comment);
$this->commentRepo->delete($comment);

View File

@@ -105,6 +105,23 @@ class CommentStoreTest extends TestCase
$this->assertActivityExists(ActivityType::COMMENT_DELETE);
}
public function test_comment_delete_requires_view_permission_to_page()
{
$editor = $this->users->editor();
$this->permissions->grantUserRolePermissions($editor, ['comment-delete-all']);
$page = $this->entities->page();
$this->actingAs($editor);
$commentData = Comment::factory()->make();
$this->postJson("/comment/$page->id", $commentData->getAttributes());
$comment = $page->comments()->first();
$this->permissions->disableEntityInheritedPermissions($page);
$resp = $this->deleteJson("/comment/$comment->id");
$resp->assertStatus(404);
$this->assertDatabaseHas('comments', ['id' => $comment->id]);
}
public function test_comment_archive_and_unarchive()
{
$this->asAdmin();