diff options
author | Yorhel <git@yorhel.nl> | 2020-08-18 08:09:14 +0200 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2020-08-18 08:09:14 +0200 |
commit | 89f1916021d64ddb0f8f3fb3fda9843515c74dee (patch) | |
tree | cc96777da9c1bcf2fa2069b8332dae0a10bd2374 | |
parent | e780ce10770eb1f91a55b5f954560b8824d6f474 (diff) |
Reviews: Also fix editing permission check
-rw-r--r-- | lib/VNWeb/Reviews/Edit.pm | 4 | ||||
-rw-r--r-- | lib/VNWeb/Validation.pm | 2 |
2 files changed, 3 insertions, 3 deletions
diff --git a/lib/VNWeb/Reviews/Edit.pm b/lib/VNWeb/Reviews/Edit.pm index 3e05cad7..5644c27a 100644 --- a/lib/VNWeb/Reviews/Edit.pm +++ b/lib/VNWeb/Reviews/Edit.pm @@ -36,7 +36,7 @@ TUWF::get qr{/$RE{vid}/addreview}, sub { TUWF::get qr{/$RE{wid}/edit}, sub { my $e = tuwf->dbRowi( - 'SELECT r.id, r.uid, r.vid, r.rid, r.summary, r.text, r.spoiler, v.title AS vntitle + 'SELECT r.id, r.uid AS user_id, r.vid, r.rid, r.summary, r.text, r.spoiler, v.title AS vntitle FROM reviews r JOIN vn v ON v.id = r.vid WHERE r.id =', \tuwf->capture('id') ); return tuwf->resNotFound if !$e->{id}; @@ -54,7 +54,7 @@ elm_api ReviewsEdit => $FORM_OUT, $FORM_IN, sub { my($data) = @_; my $id = delete $data->{id}; - my $review = $id ? tuwf->dbRowi('SELECT id, uid FROM reviews WHERE id =', \$id) : {}; + my $review = $id ? tuwf->dbRowi('SELECT id, uid AS user_id FROM reviews WHERE id =', \$id) : {}; return elm_Unauth if !can_edit w => $review; validate_dbid 'SELECT id FROM vn WHERE id IN', $data->{vid}; diff --git a/lib/VNWeb/Validation.pm b/lib/VNWeb/Validation.pm index 341d3947..d40f42c6 100644 --- a/lib/VNWeb/Validation.pm +++ b/lib/VNWeb/Validation.pm @@ -207,7 +207,7 @@ sub can_edit { if($type eq 'w') { return 1 if auth->permBoardmod; return auth->permReview if !$entry->{id}; - return auth && auth->uid == $entry->{uid}; + return auth && auth->uid == $entry->{user_id}; } die "Can't do authorization test when entry_hidden/entry_locked fields aren't present" |