Checking for credentials while deleting a moderator comment

Signed-off-by: Suki <[email protected]>

Sources/ReportedPosts.php

@@ -381,7 +381,9 @@ function ReportDetails()
  */
 function HandleComment()
 {
-	global $smcFunc, $scripturl;
+	global $smcFunc, $scripturl, $user_info;
+
+	$comment = array();
 
 	// The report ID is a must.
 	if (empty($_REQUEST['rid']))
@@ -415,6 +417,21 @@ function HandleComment()
 
 		$comment_id = (int) $_REQUEST['mid'];
 
+		// We need to verify some data, so lets load the comment details once more!
+		$comment = getCommentModDetails($comment_id);
+
+		// Perhaps somebody else already deleted this fine gem...
+		if (empty($comment))
+			fatal_lang_error('report_action_message_delete_issue');
+
+		// Can you actually do this?
+		$comment_owner = $user_info['id'] == $context['comment']['id_member'];
+
+		// Nope! sorry.
+		if (!allowedTo('admin_forum') || !$comment_owner)
+			fatal_lang_error('report_action_message_delete_cannot');
+
+		// All good!
 		deleteModComment($comment_id);
 
 		// Tell them the message was deleted.

Themes/default/languages/ModerationCenter.english.php

@@ -128,6 +128,8 @@ $txt['report_action_message_edited'] = 'You successfully edited the comment.';
 $txt['report_action_message_deleted'] = 'The message was successfully deleted.';
 $txt['report_action_message_edit_issue'] = 'The message you\'re trying to edit isn\'t available any more. Please check if it wasn\'t deleted already.';
 $txt['report_action_message_edit_cannot'] = 'I\'m sorry, you aren\'t allowed to edit this comment.';
+$txt['report_action_message_delete_cannot'] = 'I\'m sorry, you aren\'t allowed to delete this comment.';
+$txt['report_action_message_delete_issue'] = 'The message you\'re trying to delete isn\'t available any more. Please check if it wasn\'t deleted already.';
 $txt['report_action_ignore'] = 'The report was successfully ignored.';
 $txt['report_action_unignore'] = 'The report was successfully un-ignored.';
 $txt['report_action_close'] = 'The report was successfully closed.';