More bugs found in there.
The scripts that actually modify/delete the comments has code in there to allow admins to edit/delete.
/scripts/showprofile.inc.php however does not show the editlink.
Changed this line:
if ($c_uid == $user['USER_ID']) {
if ($c_uid == $user['USER_ID'] || $user['USER_MEMBERSHIP_LEVEL'] == "Administrator") {
Though I would prefer something new or existing from the permission matrix.
Another more severe buglet is also present. The final modify script has no code to disallow an edit by the current profile owner. It just checks if you can "edit or delete", and if you are allowed either, it allows both.
So a profile owner can change the words in a comment.
Dirty Fix: (don't have time now to rebuild the if statement that should check)
find:
$query = "
update {$config['TABLE_PREFIX']}PROFILE_COMMENTS
set COMMENT_BODY = ?,
COMMENT_DEFAULT_BODY = ?
where COMMENT_ID = ?
";
$dbh -> do_placeholder_query($query,array($Body,$DefaultBody,$id),__LINE__,__FILE__);
Add before:
if ($poster == $user['USER_ID']) {
$html->not_right($ubbt_lang['NO_EDIT']);
}
Final buglet:
/scripts/showprofile.inc.php does not allow you to post comments on your own profile.
/scripts/profile_comment.inc.php does allow that.