[xwiki-devs] [xwiki-notifications] r35698 - platform/web/trunk/standard/src/main/webapp/templates

Sergiu Dumitriu sergiu at xwiki.com
Fri Mar 18 17:21:40 UTC 2011

On 03/18/2011 07:58 AM, Vincent Massol wrote:
> Hi Sergiu,
> I would have thought that users would only need the delete (or edit but I prefer delete) rights to remove comments.
> Could you explain the rationale?

The "delete" right is kind of weird. By default, normal users can't 
delete documents, unless they're the creator of that document.

Requiring the "delete" right for deleting comments means that other than 
administrators and people explicitly granted the delete right, only the 
document creator will be allowed to delete comments. And this includes 
their own comments on another user's document.

Anyway, this is just a UI mask, the real action uses /objectremove/ 
which internally uses the "edit" right.

> BTW for logged in users, what do they need now?

They need to be able to edit the document, and they can only delete 
their own comments (from the UI, by using the object editor they can 
delete any comment).

At least for me, this is logical:

* Guests shouldn't be allowed to delete comments (it's not possible to 
link one guest to an anonymous comment, so the author is not real)
** Unless they have admin rights (empty wiki)
* Logged in users should only be allowed to delete their own comments, 
if they have the right to delete comments at all
* Administrators should be allowed to delete any comment

> Thanks
> -Vincent
> On Mar 18, 2011, at 12:36 AM, sdumitriu (SVN) wrote:
>> Author: sdumitriu
>> Date: 2011-03-18 00:36:44 +0100 (Fri, 18 Mar 2011)
>> New Revision: 35698
>> Modified:
>>    platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm
>> Log:
>> XWIKI-4842: Issues on Preview/Edit Comments for Unregistered Users
>> Guests should not be allowed to delete comments unless they have admin rights.
>> Modified: platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm
>> ===================================================================
>> --- platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm	2011-03-17 23:29:08 UTC (rev 35697)
>> +++ platform/web/trunk/standard/src/main/webapp/templates/commentsinline.vm	2011-03-17 23:36:44 UTC (rev 35698)
>> @@ -151,7 +151,7 @@
>>            <span class="commenttool commentedit"><a class="edit" href="$doc.getURL('view', "viewer=comments&number=${comment.number}&xredirect=$xredirect")" title="$msg.get('core.viewers.comments.edit')">$msg.get('core.viewers.comments.edit')</a></span>
>>          #end
>>        #end
>> -      #if ($hasEdit)
>> +      #if ($hasAdmin || (!$isGuest&&  $hasEdit&&  $comment.author == $xcontext.user))
>>          <span class="commenttool commentdelete"><a class="delete" href="$doc.getURL('objectremove', "form_token=$!{services.csrf.getToken()}&classname=${xCommentClass}&classid=${comment.number}&xredirect=$xredirect")" title="$msg.get('core.viewers.comments.delete')">$msg.get('core.viewers.comments.delete')</a></span>
>>        #end
>>        </span>## commenttools

Sergiu Dumitriu

More information about the devs mailing list