diff options
author | Yorhel <git@yorhel.nl> | 2022-01-20 09:12:37 +0100 |
---|---|---|
committer | Yorhel <git@yorhel.nl> | 2022-01-20 09:13:32 +0100 |
commit | c119e60e3ddea4c86cabf8e0866b8a0b7f68ad26 (patch) | |
tree | 2ced80d16b0a461b951df5a94e8ce7a6b574f62b | |
parent | dbb0df8e7131f82d8c6151fdf2f6052d019df50e (diff) |
Validation: Fix authorization of thread edits by creator
Broken since 8c1fcdb94b46373c4e9c8d533e645edf6aba6f7a (!?)
-rw-r--r-- | lib/VNWeb/Validation.pm | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/VNWeb/Validation.pm b/lib/VNWeb/Validation.pm index bc49d847..ae2b34b1 100644 --- a/lib/VNWeb/Validation.pm +++ b/lib/VNWeb/Validation.pm @@ -243,7 +243,9 @@ sub can_edit { } else { die "Can't do authorization test when hidden/date/user_id fields aren't present" if !exists $entry->{hidden} || !exists $entry->{date} || !exists $entry->{user_id}; - return auth && $entry->{user_id} eq auth->uid && !defined $entry->{hidden} && $entry->{date} > time-config->{board_edit_time}; + # beware: for threads the 'hidden' field is a non-undef boolean flag, for posts it is a possibly-undef text field. + my $hidden = $entry->{id} =~ /^t/ && $entry->{num} == 1 ? $entry->{hidden} : defined $entry->{hidden}; + return auth && $entry->{user_id} eq auth->uid && !$hidden && $entry->{date} > time-config->{board_edit_time}; } } |