designwall · timhibberd · Dec 22, 2019 · Dec 22, 2019 · Dec 24, 2019 · Dec 24, 2019
diff --git a/inc/Ajax.php b/inc/Ajax.php
@@ -25,20 +25,20 @@ public function __construct() {
 	}
 
 	public function delete_comment() {
+		$comment = get_comment( $_GET['comment_id'] );
 		if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( $_GET['_wpnonce'] ), '_dwqa_delete_comment' ) ) {
 			wp_die( __( 'Are you cheating huh?', 'dw-question-answer' ) );
 		}
 
-		if ( !dwqa_current_user_can( 'delete_comment' ) ) {
+		if ( !dwqa_current_user_can( 'delete_comment', $comment->comment_post_ID, $comment->comment_ID ) ) {
 			wp_die( __( 'You do not have permission to edit comment.', 'dw-question-answer' ) );
 		}
 
 		if ( ! isset( $_GET['comment_id'] ) ) {
 			wp_die( __( 'Comment ID must be showed.', 'dw-question-answer' ) );
 		}
 
-		wp_delete_comment( intval( $_GET['comment_id'] ) );
-		$comment = get_comment( $_GET['comment_id'] );
+		wp_delete_comment( intval( $comment->comment_ID ) );
 		exit( wp_safe_redirect( dwqa_get_question_link( $comment->comment_post_ID ) ) );
 	}
 
@@ -168,7 +168,7 @@ public function delete_question() {
 			wp_die( __( 'This post is not question.', 'dw-question-answer' ) );
 		}
 
-		if ( !dwqa_current_user_can( 'delete_answer' ) ) {
+		if ( !dwqa_current_user_can( 'delete_question', intval( $_GET['question_id'] ) ) ) {
 			wp_die( __( 'You do not have permission to delete this post.', 'dw-question-answer' ) );
 		}
 
@@ -301,4 +301,4 @@ public function posts_where_suggest( $where ) {
 		}
 		return $where;
 	}
-}
+}
diff --git a/inc/Handle.php b/inc/Handle.php
@@ -137,7 +137,7 @@ public function insert_answer() {
 
 	public function update_answer() {
 		if ( isset( $_POST['dwqa-edit-answer-submit'] ) ) {
-			if ( !dwqa_current_user_can( 'edit_answer' ) ) {
+			if ( !dwqa_current_user_can( 'edit_answer', intval( $_POST['answer_id'] ) ) ) {
 				dwqa_add_notice( __( "You do not have permission to edit answer.", 'dw-question-answer' ), 'error' );
 			}
 
@@ -484,7 +484,7 @@ public function update_question() {
 		if ( isset( $_POST['dwqa-edit-question-submit'] ) ) {
 			if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( esc_html( $_POST['_wpnonce'] ), '_dwqa_edit_question' ) ) {
 
-				if ( !dwqa_current_user_can( 'edit_question' ) ) {
+				if ( !dwqa_current_user_can( 'edit_question', intval( $_POST['question_id'] ) ) ) {
 					dwqa_add_notice( __( "You do not have permission to edit question", 'dw-question-answer' ), 'error' );
 				}
 

diff --git a/inc/Permission.php b/inc/Permission.php
@@ -1,15 +1,18 @@
 <?php  
-function dwqa_user_can( $user_id, $perm, $post_id = false ) {
+function dwqa_user_can( $user_id, $perm, $post_id = false, $comment_id = false ) {
 	global $dwqa;
 	$can = false;
+	if ( !$post_id ){
+		$post_id = get_the_ID();
+	}
 	if ( $user_id &&  is_numeric($user_id) ) {
 		if ( $post_id ) {
 			// perm with post id
 			$is_comment = array( 'post_comment', 'read_comment', 'delete_comment', 'edit_comment', 'manage_comment' );
 			$post_author = 0;
 			// is comment
 			if ( in_array( $perm, $is_comment ) ) {
-				$comment = get_comment( $post_id );
+				$comment = get_comment( $comment_id );
 				if ( isset( $comment->user_id ) ) {
 					$post_author = $comment->user_id;
 				}
@@ -38,9 +41,9 @@ function dwqa_user_can( $user_id, $perm, $post_id = false ) {
 	return apply_filters( 'dwqa_user_can', $can, $perm, $user_id, $post_id );
 }
 
-function dwqa_current_user_can( $perm, $post_id = false ) {
+function dwqa_current_user_can( $perm, $post_id = false, $comment_id = false ) {
 	$current_user_id = get_current_user_id();
-	$can = dwqa_user_can( $current_user_id, $perm, $post_id );
+	$can = dwqa_user_can( $current_user_id, $perm, $post_id, $comment_id );
 	return apply_filters( 'dwqa_current_user_can', $can, $current_user_id, $perm, $post_id );
 }
 
@@ -427,4 +430,4 @@ public function restrict_single_question( $posts ) {
 	}
 }
 
-?>
+?>
diff --git a/templates/assets/js/dwqa-single-question.js b/templates/assets/js/dwqa-single-question.js
@@ -108,9 +108,9 @@
 		});
 	});
 
-	// delete question
+	// delete question, answer or comment
 	$( '.dwqa_delete_question, .dwqa_delete_answer, .dwqa-delete-comment' ).on('click', function(e) {
-		var message = confirm( 'Are you sure to delete this question.' );
+		var message = confirm( 'Are you sure to delete this item.' );
 
 		if ( !message ) {
 			e.preventDefault();
@@ -175,4 +175,4 @@
         current_form.find('.dwqa-form-submit').show();
 	});
 
-})(jQuery);
+})(jQuery);
diff --git a/templates/content-comment.php b/templates/content-comment.php
@@ -15,10 +15,10 @@
 		<?php dwqa_print_user_badge( $comment->user_id, true ); ?>
 		<?php printf( _x( 'replied %s ago', '%s = human-readable time difference', 'dw-question-answer' ), human_time_diff( get_comment_time( 'U', true ) ) ); ?>
 		<div class="dwqa-comment-actions">
-			<?php if ( dwqa_current_user_can( 'edit_comment' ) ) : ?>
+			<?php if ( dwqa_current_user_can( 'edit_comment', get_the_ID(), $comment->comment_ID ) ) : ?>
 				<a href="<?php echo esc_url( add_query_arg( array( 'comment_edit' => $comment->comment_ID ) ) ) ?>"><?php _e( 'Edit', 'dw-question-answer' ) ?></a>
 			<?php endif; ?>
-			<?php if ( dwqa_current_user_can( 'delete_comment' ) ) : ?>
+			<?php if ( dwqa_current_user_can( 'delete_comment', get_the_ID(), $comment->comment_ID ) ) : ?>
 				<a class="dwqa-delete-comment" href="<?php echo wp_nonce_url( add_query_arg( array( 'action' => 'dwqa-action-delete-comment', 'comment_id' => $comment->comment_ID ), admin_url( 'admin-ajax.php' ) ), '_dwqa_delete_comment' ) ?>"><?php _e( 'Delete', 'dw-question-answer' ) ?></a>
 			<?php endif; ?>
 		</div>