18 Mar
2011
18 Mar
'11
6:21 p.m.
On 03/18/2011 07:58 AM, Vincent Massol wrote:
Hi Sergiu,
I would have thought that users would only need the delete (or edit but I prefer delete)
rights to remove comments.
Could you explain the rationale?
The "delete" right is kind of weird. By default, normal users can't
delete documents, unless they're the creator of that document.
Requiring the "delete" right for deleting comments means that other than
administrators and people explicitly granted the delete right, only the
document creator will be allowed to delete comments. And this includes
their own comments on another user's document.
Anyway, this is just a UI mask, the real action uses /objectremove/
which internally uses the "edit" right.
BTW for logged in users, what do they need now?
They need to be able to edit the document, and they can only delete
their own comments (from the UI, by using the object editor they can
delete any comment).
At least for me, this is logical:
* Guests shouldn't be allowed to delete comments (it's not possible to
link one guest to an anonymous comment, so the author is not real)
** Unless they have admin rights (empty wiki)
* Logged in users should only be allowed to delete their own comments,
if they have the right to delete comments at all
* Administrators should be allowed to delete any comment
Thanks
-Vincent
On Mar 18, 2011, at 12:36 AM, sdumitriu (SVN) wrote:
> Author: sdumitriu
> Date: 2011-03-18 00:36:44 +0100 (Fri, 18 Mar 2011)
> New Revision: 35698
>
> Modified:
> platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm
> Log:
> XWIKI-4842: Issues on Preview/Edit Comments for Unregistered Users
> Guests should not be allowed to delete comments unless they have admin rights.
>
> Modified: platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm
> ===================================================================
> ---
platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm 2011-03-17
23:29:08 UTC (rev 35697)
> +++
platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm 2011-03-17
23:36:44 UTC (rev 35698)
> @@ -151,7 +151,7 @@
> <span class="commenttool commentedit"><a
class="edit" href="$doc.getURL('view',
"viewer=comments&number=${comment.number}&xredirect=$xredirect")"
title="$msg.get('core.viewers.comments.edit')">$msg.get('core.viewers.comments.edit')</a></span>
> #end
> #end
> - #if ($hasEdit)
> + #if ($hasAdmin || (!$isGuest&& $hasEdit&& $comment.author ==
$xcontext.user))
> <span class="commenttool commentdelete"><a
class="delete" href="$doc.getURL('objectremove',
"form_token=$!{services.csrf.getToken()}&classname=${xCommentClass}&classid=${comment.number}&xredirect=$xredirect")"
title="$msg.get('core.viewers.comments.delete')">$msg.get('core.viewers.comments.delete')</a></span>
> #end
> </span>## commenttools
--
Sergiu Dumitriu
http://purl.org/net/sergiu/