Details
-
Bug
-
Resolution: Fixed
-
Low
-
3.9.1
-
3.09
-
Description
The validateCommentUpdate(), hasPermissionToUpdate() and hasPermissionToDelete() methods on DefaultCommentService check the user's comment-related permissions but neglect to check whether they have a role/group security level viewable by the user attempting to delete a comment.