User cannot edit their own Questions, Answers and Comments

[timhibberd]

BUG: In DWQA v1.5.7 a user cannot edit their own Questions, Answers and Comments.

To reproduce...set the DWQA subscriber permissions as follows for Questions Answers, and Comments:

Read: Checked
Post: Checked
Edit: Unchecked
Delete: Unchecked

---

ROOT CAUSE: There are two reasons why this bug occurs:

1. Not all dwqa_current_user_can() function invokers pass the postid which is needed by the permission logic to determine if this is the user's own question/answer/comment;
2. The comment permissions check requires a commentid not a postid and the commentid is not passed in by the function invoker in appropriate place(s).

---

NOTE:
The permissions design in DWQA v1.5.7 is misleading and needs a complete review. The permissions implementation is a mixed metaphor of mine & others which does not operate consistently. In DWQA v1.5.7 it appears that the permissions metaphor is as follows (have not tested exhaustively though so take with a grain of salt):

• READ: If unchecked the user cannot read any. If checked the user can read all (own & others).
• POST: if unchecked then the user cannot create. If checked the user can create own & others.
• EDIT: if unchecked the user can edit their own. if checked the user can edit all (own & others).
• DELETE: if unchecked the user can delete their own. if checked the user can delete all (own & others).

So, if you check POST for questions but uncheck READ for Questions then the user can create a question which they cannot subsequently read! So READ should always be checked if POST is checked.

---

SOLUTION: A solution will be proposed in a Pull Request with aback-reference to this issue.

[ansar-859]

Hi timhibberd,
I tried your solution but seems like not completely meet the purpose. I can edit my own posted comment but fail to delete it. I fail to edit my own answer but successful in deleting it.

[victorwardi]

For comments I have solved this issue checking if the current user is the comment author:

file: /templates/content-comment.php

$current_user->ID == $comment->user_id

`

        <?php $current_user = wp_get_current_user(); ?>

		<?php if ( dwqa_current_user_can( 'edit_comment' ) || $current_user->ID == $comment->user_id  ) : ?>
			<a href="<?php echo esc_url( add_query_arg( array( 'comment_edit' => $comment->comment_ID ) ) ) ?>"><?php _e( 'Edit', 'dw-question-answer' ) ?></a>

		<?php endif; ?>

		<?php if ( dwqa_current_user_can( 'delete_comment' ) || $current_user->ID == $comment->user_id  ) : ?>

			<a class="dwqa-delete-comment" href="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'dwqa-action-delete-comment', 'comment_id' => $comment->comment_ID ), admin_url( 'admin-ajax.php' ) ), '_dwqa_delete_comment' ) ?>"><?php _e( 'Delete', 'dw-question-answer' ) ?></a>

		<?php endif; ?>

	</div>`

[timhibberd]

Hi @victorwardi - your suggestion does solve @ansar-859 problem but only by bypassing the permissions logic. So it fixes one problem and opens up another problem. With this change, for example, someone who has Edit / Delete permission revoked would still be able to Edit / Delete comments they made in the past. In my client's service, for example, Edit / Delete is reserved for paying customers. If a customer stops paying and is demoted to the free tier they lose that power. With your suggested code change they would retain that power...at least for comments they had made in the past. Not a terrible side-effect in this use-case but not the intended operation.

Either "current user can edit/delete comment" or they can't.