xwiki · Sereza7 · Feb 1, 2024 · Feb 7, 2024 · Feb 7, 2024 · Feb 7, 2024
diff --git a/...skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/commentsinline.vm b/...skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/commentsinline.vm
@@ -184,7 +184,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
       <a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
         href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
         title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
-      #if ($hasAdmin || ($hasEdit && $isUserComment))
+      #if ($hasAdmin || $isUserComment)
         ## If a remote URL is provided, content will be loaded into .modal-content because of bootstrap.
         ## By providing an anchor this behavior is stoped, without altering the URL functionality.
         #set ($queryString = $escapetool.url({
@@ -193,7 +193,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
           'classid': $comment.number,
           'xredirect': $doc.getURL('view')
         }))
-        #set ($deleteURL = $xwiki.getURL($doc.fullName, 'objectremove', $queryString, "xwikicomment_${comment.number}"))
+        #set ($deleteURL = $xwiki.getURL($doc.fullName, 'commentdelete', $queryString, "xwikicomment_${comment.number}"))
         <a class="delete btn btn-default btn-xs " data-toggle="modal" data-target="#deleteModal" rel="nofollow"
           href="$deleteURL" title="$services.localization.render('core.viewers.comments.delete')">
           $services.icon.renderHTML('cross')

diff --git a/...i-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java b/...i-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
@@ -136,6 +136,7 @@ public String getRight(String action)
             actionMap.put("reset", "delete");
             actionMap.put("commentadd", "comment");
             actionMap.put("commentsave", "comment");
+            actionMap.put("commentdelete", "comment");
             actionMap.put("register", "register");
             actionMap.put("redirect", "view");
             actionMap.put("admin", "admin");

diff --git a/...form-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CommentDeleteAction.java b/...form-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CommentDeleteAction.java
@@ -0,0 +1,159 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package com.xpn.xwiki.web;
+
+import java.io.IOException;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+import javax.script.ScriptContext;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.xwiki.component.annotation.Component;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.security.authorization.ContextualAuthorizationManager;
+import org.xwiki.store.TemporaryAttachmentSessionsManager;
+import org.xwiki.user.CurrentUserReference;
+import org.xwiki.user.UserReferenceResolver;
+
+import com.xpn.xwiki.XWiki;
+import com.xpn.xwiki.XWikiContext;
+import com.xpn.xwiki.XWikiException;
+import com.xpn.xwiki.doc.XWikiDocument;
+import com.xpn.xwiki.objects.BaseObject;
+
+/**
+ * Action used to remove a comment from a page, requires comment right but not edit right.
+ *
+ * @version $Id$
+ * @since 16.1.0RC1
+ */
+@Component
+@Named("commentdelete")
+@Singleton
+public class CommentDeleteAction extends XWikiAction
+{
+    @Inject
+    private UserReferenceResolver<CurrentUserReference> currentUserReferenceUserReferenceResolver;
+
+    @Inject
+    private TemporaryAttachmentSessionsManager temporaryAttachmentSessionsManager;
+
+    @Inject
+    private ContextualAuthorizationManager authorization;
+
+    @Override
+    protected Class<? extends XWikiForm> getFormClass()
+    {
+        return ObjectRemoveForm.class;
+    }
+
+    protected BaseObject getObject(XWikiDocument doc, XWikiContext context)
+    {
+        ObjectRemoveForm form = (ObjectRemoveForm) context.getForm();
+        BaseObject obj = null;
+
+        String className = form.getClassName();
+        int classId = form.getClassId();
+        String attributeName = "message";
+        if (StringUtils.isBlank(className)) {
+            getCurrentScriptContext().setAttribute(attributeName,
+                    localizePlainOrReturnKey("platform.core.action.commentRemove.noClassnameSpecified"),
+                    ScriptContext.ENGINE_SCOPE);
+        } else if (classId < 0) {
+            getCurrentScriptContext().setAttribute(attributeName,
+                    localizePlainOrReturnKey("platform.core.action.commentRemove.noCommentSpecified"),
+                    ScriptContext.ENGINE_SCOPE);
+        } else {
+            obj = doc.getObject(className, classId);
+            if (obj == null) {
+                getCurrentScriptContext().setAttribute(attributeName,
+                        localizePlainOrReturnKey("platform.core.action.commentRemove.invalidComment"),
+                        ScriptContext.ENGINE_SCOPE);
+            }
+        }
+
+        return obj;
+    }
+
+    @Override
+    public boolean action(XWikiContext context) throws XWikiException
+    {
+        // CSRF prevention
+        if (!csrfTokenCheck(context)) {
+            return false;
+        }
+
+        XWiki xwiki = context.getWiki();
+        XWikiResponse response = context.getResponse();
+        XWikiDocument doc = context.getDoc();
+        DocumentReference userReference = context.getUserReference();
+
+        // We need to clone this document first, since a cached storage would return the same object for the
+        // following requests, so concurrent request might get a partially modified object, or worse, if an error
+        // occurs during the save, the cached object will not reflect the actual document at all.
+        doc = doc.clone();
+
+        BaseObject obj = getObject(doc, context);
+        if (obj == null) {
+            return true;
+        }
+
+        doc.removeObject(obj);
+        doc.setAuthorReference(userReference);
+
+        String changeComment = localizePlainOrReturnKey("core.comment.deleteComment");
+
+        // Make sure the user is allowed to make this modification
+        context.getWiki().checkSavingDocument(userReference, doc, changeComment, true, context);
+
+        xwiki.saveDocument(doc, changeComment, true, context);
+
+        if (Utils.isAjaxRequest(context)) {
+            response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+            response.setContentLength(0);
+        } else {
+            // forward to edit
+            String redirect = Utils.getRedirect("edit", context);
+            sendRedirect(response, redirect);
+        }
+        return false;
+    }
+
+    @Override
+    public String render(XWikiContext context) throws XWikiException
+    {
+        if (Utils.isAjaxRequest(context)) {
+            XWikiResponse response = context.getResponse();
+            response.setStatus(HttpServletResponse.SC_CONFLICT);
+            response.setContentType("text/plain");
+            try {
+                response.getWriter().write("failed");
+                response.setContentLength(6);
+            } catch (IOException e) {
 LOGGER.error("Failed to send error response to AJAX save and continue request.", e); 
 LOGGER.error("Failed to send error response to AJAX save and continue request.", e); 
+            }
+            return null;
+        } else {
+            return "error";
+        }
+    }
+}
diff --git a/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties b/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
@@ -943,6 +943,7 @@ core.comment.tooltip=Enter a brief description of your changes
 core.comment.prompt=Enter a brief description of your changes
 core.comment.addComment=Added comment
 core.comment.editComment=Edited comment
+core.comment.deleteComment=Deleted comment
 core.comment.addObject=Added object
 core.comment.updateObject=Updated object
 core.comment.deleteObject=Deleted object
@@ -2170,6 +2171,9 @@ platform.core.invalidUrl=This is not a valid URL
 platform.core.action.objectRemove.noClassnameSpecified=No object type specified.
 platform.core.action.objectRemove.noObjectSpecified=No object specified.
 platform.core.action.objectRemove.invalidObject=Invalid object specified.
+platform.core.action.commentRemove.noClassnameSpecified=No object type specified.
+platform.core.action.commentRemove.noCommentSpecified=No comment specified.
+platform.core.action.commentRemove.invalidComment=Invalid comment specified.
 platform.core.action.deleteAttachment.noAttachment=This attachment does not exist.
 core.action.deleteAttachment.failed=Failed to delete attachment {0}
 core.action.upload.failure=Failed to upload {0,choice,0#files|1#one file|1<{0} files}.

diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/META-INF/components.txt b/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/META-INF/components.txt
@@ -225,6 +225,7 @@ com.xpn.xwiki.web.AttachAction
 com.xpn.xwiki.web.CancelAction
 com.xpn.xwiki.web.CommentAddAction
 com.xpn.xwiki.web.CommentSaveAction
+com.xpn.xwiki.web.CommentDeleteAction
 com.xpn.xwiki.web.CreateAction
 com.xpn.xwiki.web.DeleteAction
 com.xpn.xwiki.web.DeleteAttachmentAction

diff --git a/...dge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java b/...dge/src/main/java/org/xwiki/security/authorization/internal/XWikiCachingRightService.java
@@ -92,6 +92,7 @@ public class XWikiCachingRightService implements XWikiRightService
             .putAction("reset", Right.DELETE)
             .putAction("commentadd", Right.COMMENT)
             .putAction("commentsave", Right.COMMENT)
+            .putAction("commentdelete", Right.COMMENT)
             .putAction("redirect", Right.VIEW)
             .putAction("export", Right.VIEW)
             .putAction("import", Right.ADMIN)

diff --git a/xwiki-platform-tools/xwiki-platform-tool-rootwebapp/src/main/webapp/robots.txt b/xwiki-platform-tools/xwiki-platform-tool-rootwebapp/src/main/webapp/robots.txt
@@ -30,6 +30,7 @@ Disallow: /xwiki/bin/propenable/
 Disallow: /xwiki/bin/propdelete/
 Disallow: /xwiki/bin/objectadd/
 Disallow: /xwiki/bin/commentadd/
+Disallow: /xwiki/bin/commentdelete/
 Disallow: /xwiki/bin/commentsave/
 Disallow: /xwiki/bin/objectsync/
 Disallow: /xwiki/bin/objectremove/