Users deleting posts in locked threads.

[Hidoshi]

Hey y'all, got a bit of a buggy problem.

As it stands, my forum users are able to delete their posts inside a locked thread. Not regular threads, just locked ones. It's a bit of a problem, because in case a moderator needs to dispute the actions of a user, that user can wipe out the evidence.

Any fixes for this? I've already checked the permissions and nothing seems wrong. Thanks in advance!

[gbsothere]

Well, Hidoshi......  I am able to replicate this on my test board. A newbie can delete his post on a locked thread.  Unfortunately (and someone correct me if I'm wrong) the permission "Delete posts.... own posts" seems to allow this, whether a topic is locked or not.  Only unchecking that stops a newbie from deleting a post on a locked thread on my board, but then, again, he can't delete anything, anywhere, if that's unchecked. 

I'm not finding a mod that takes locked topics out of the permission loop, but allows a member to delete elsewhere....   it may take a coder to help out with that.

[Kays]

Hmm, interesting. I wonder if this is intended behavior or not.

There's no check to see if the topic is locked or not. For either version.

[gbsothere]

Hmm, interesting. I wonder if this is intended behavior or not.

There's no check to see if the topic is locked or not. For either version.

It might just be an oversight, I guess....   I sure can't find a mod to show that anyone ever caught it and saw the need to remedy it.   

But a locked topic should be just that, I would think.

[Hidoshi]

Well the issue is that "Delete posts... own posts" IS unchecked for regular members, so it shouldn't be available at all. We don't allow deletion for the specific issue of moderation debates. Only a full admin can delete posts in case of spam, etc.

[gbsothere]

Very odd.

Do you know if the members deleting their posts are part of any other membergroup, in addition to regular members, that may allow deletion?  Do you have ranks such as Newbie, Junior, Senior, etc, listed separately with their own permissions (again, in addition to Regular members)?

Sometimes, these get overlooked but can override Regular members' permissions.

[Kays]

I would think so. If a topic is locked one can't modify a post. But it can be deleted. Hmm..

See if this fixes it. In Sources/RemoveTopic.php find:

Code Select Expand


$request = db_query("
SELECT t.ID_MEMBER_STARTED, m.ID_MEMBER, m.subject, m.posterTime
FROM ({$db_prefix}topics AS t, {$db_prefix}messages AS m)
WHERE t.ID_TOPIC = $topic
AND m.ID_TOPIC = $topic
AND m.ID_MSG = $_REQUEST[msg]
LIMIT 1", __FILE__, __LINE__);
list ($starter, $poster, $subject, $post_time) = mysql_fetch_row($request);
mysql_free_result($request);


and change it to:

Code Select Expand


$request = db_query("
SELECT t.ID_MEMBER_STARTED, m.ID_MEMBER, m.subject, m.posterTime, t.locked
FROM ({$db_prefix}topics AS t, {$db_prefix}messages AS m)
WHERE t.ID_TOPIC = $topic
AND m.ID_TOPIC = $topic
AND m.ID_MSG = $_REQUEST[msg]
LIMIT 1", __FILE__, __LINE__);
list ($starter, $poster, $subject, $post_time, $locked) = mysql_fetch_row($request);
mysql_free_result($request);

if (!empty($locked) && !allowedTo('moderate_board'))
fatal_error('You are not allowed to delete posts in a locked topic.', false);


This should only allow mods or admins to delete posts in a locked topic. (not tested)

[gbsothere]

Hmm....  Yes and No, on mine.  The newbie trying to delete gets a white page with this in the browser:

action=deletemsg;topic=674.15;msg=127431;sesc=4cb69bdfabe22762f9cc4f0cd4a7f609


The admin refreshing the thread sees that the post is still there, though.   



Edit:  Well, the newbie is still getting the white page when trying to delete on open threads and the post isn't deleting. 

[Kays]

Any errors in the error log?

I can't get IE to open my test site so I can login with a second account to test this..

[gbsothere]

Actually no, no errors.  (I was actually hoping for some.)   

[Kays]

Problem was with the test site as a guest and not the browser.

Found the white screen problem and correct the code posted above.

I see another problem in that the "Remove" button is still showing. Just looking into it now.

[gbsothere]

An Error Has Occurred!
You are not allowed to delete posts in a locked topic.




Yay!  Great job, Kays!   The newbie can delete on open threads, no problem, but not on locked threads.  Nice!   

[Kays]

Cool.

To remove the "Remove" button. In Sources/Display look for:

Code Select Expand


'can_remove' => allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['ID_MEMBER'] == $ID_MEMBER && (empty($modSettings['edit_disable_time']) || $message['posterTime'] + $modSettings['edit_disable_time'] * 60 > time())),


And replace it with:

Code Select Expand


'can_remove' => (!$context['is_locked'] || allowedTo('moderate_board')) && (allowedTo('delete_any') || (allowedTo('delete_replies') && $context['user']['started']) || (allowedTo('delete_own') && $message['ID_MEMBER'] == $ID_MEMBER && (empty($modSettings['edit_disable_time']) || $message['posterTime'] + $modSettings['edit_disable_time'] * 60 > time()))),


One thing I find strange is that although there are two levels of lock. User and moderator. Once a topic is locked by the topic starter. It seems that they can't edit it even if they have permissions to do so. That I don't think is correct behaviour.

[gbsothere]

The last code works beautifully!

I agree; it's very odd.  It'd be nice if this could be worked out in 2.0 before it goes gold.

[Kays]

I've opened a bug report on this for 2.0.

http://dev.simplemachines.org/mantis/view.php?id=4488

Maybe move this topic th Bug Reports also.

[Aleksi "Lex" Kilpinen]

Commented on the tracker, but I'll say it here as well...

Honestly, I don't think this is a bug. If one is allowed to delete his own posts, then that should be allowed wether or not the topic is locked. I can see the reasoning behind not allowing to edit posts in a locked topic though, but this is different.

[Oya]

perhaps there needs to be a new permission for deleting own/any posts in a locked topic?

[JimM]

@ Hidoshi - were you able to use the code above to fix the issue?  If this is solved, please mark it solved by clicking the Mark Topic Solved link at the bottom left.