Ticket #1848 (closed defect (bug): fixed)
Posting comments into a locked post
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | General | Version: | 1.6 |
| Severity: | normal | Keywords: | comments |
| Cc: |
Description
By changing the hidden value in the "make comments" form it's possible to comment into a locked post. You still cannot read the locked post or read other comments in it, but you can post in it.
Change History
- Keywords comments added
- Status changed from new to closed
- Resolution set to fixed
- Severity changed from minor to normal
- Milestone set to 2.2
I just tested this in SVN [4984]. Here is what I did:
a) Made a post and marked it as closed to comments (ID = 4)
b) Visited the comment page for a different post (ID = 3)
c) Copied the HTML page I was viewing into a local HTML file, and edited the hidden field for the post ID number to 4.
d) In my browser viewing my modified HTML page, typed a comment and clicked submit. I got a message saying comments are closed for this post, and the comment was not added.
e) Just to make sure it wasn't an artifact, I changed the ID back to 3, and submitted a comment successfully to that post from my local HTML page.
So this has apparently been fixed sometime between 1.6 and now. I'll close the bug.
I forgot to talk about possible solutions. When anyone posts into the locked post it should check to see if they have the cookies that are required to read the post set to the right thing. If not, then it either asks for the post password or just drops the whole thing.