xwiki · Sereza7 · Feb 1, 2024 · Feb 7, 2024 · Feb 7, 2024 · Feb 7, 2024
diff --git a/...skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/commentsinline.vm b/...skin/xwiki-platform-flamingo-skin-resources/src/main/resources/flamingo/commentsinline.vm
@@ -165,6 +165,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
   ## This variable should be true only for an authenticate user that matches the comment author.
   ## We don't allow guests to be edit or delete comments because we can't know if they are the comment author.
   #set ($isUserComment = $commentAuthor != '' && $services.model.resolveDocument($commentAuthor, 'user') == $xcontext.userReference)
+  #set ($hasCommentEditionRight = $hasAdmin || $isUserComment)
   <div id="xwikicomment_${comment.number}" class="xwikicomment  #if($comment.getProperty('author').value == $doc.creator) commentByCreator#end#if($isAnnotation) annotation#end">
     <div class="commentavatar">#if("$!comment.replyto" == '')#largeUserAvatar($commentAuthor)#{else}#mediumUserAvatar($commentAuthor)#end</div>
     <div class="commentheader">
@@ -177,14 +178,14 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
       <div class="btn-group commenttools">
       #if($xwiki.hasAccessLevel('comment'))
         <a class="commentreply btn btn-default btn-xs" rel="nofollow" href="$xredirect.replaceAll('&?replyto=\d++', '')&amp;replyto=${comment.number}#xwikicomment_${comment.number}" title="$services.localization.render('core.viewers.comments.reply')"#if("$!replyTo" == "${comment.number}") style="display: none;"#end>$services.icon.renderHTML('comment')</a></span>
-        #if($hasAdmin || $isUserComment)
+        #if($hasCommentEditionRight)
           <a class="edit btn btn-default btn-xs" rel="nofollow" href="$doc.getURL('view', "viewer=comments&amp;number=${comment.number}&amp;xredirect=$doc.getURL('view')")" title="$services.localization.render('core.viewers.comments.edit')">$services.icon.renderHTML('pencil')</a>
         #end
       #end
       <a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
         href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
         title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
-      #if ($hasAdmin || ($hasEdit && $isUserComment))
+        #if ($hasCommentEditionRight)
         ## If a remote URL is provided, content will be loaded into .modal-content because of bootstrap.
         ## By providing an anchor this behavior is stoped, without altering the URL functionality.
         #set ($queryString = $escapetool.url({
@@ -193,7 +194,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
           'classid': $comment.number,
           'xredirect': $doc.getURL('view')
         }))
-        #set ($deleteURL = $xwiki.getURL($doc.fullName, 'objectremove', $queryString, "xwikicomment_${comment.number}"))
+        #set ($deleteURL = $xwiki.getURL($doc.fullName, 'commentdelete', $queryString, "xwikicomment_${comment.number}"))
         <a class="delete btn btn-default btn-xs " data-toggle="modal" data-target="#deleteModal" rel="nofollow"
           href="$deleteURL" title="$services.localization.render('core.viewers.comments.delete')">
           $services.icon.renderHTML('trash')

diff --git a/...i-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java b/...i-platform-oldcore/src/main/java/com/xpn/xwiki/user/impl/xwiki/XWikiRightServiceImpl.java
@@ -136,6 +136,7 @@ public String getRight(String action)
             actionMap.put("reset", "delete");
             actionMap.put("commentadd", "comment");
             actionMap.put("commentsave", "comment");
+            actionMap.put("commentdelete", "comment");
             actionMap.put("register", "register");
             actionMap.put("redirect", "view");
             actionMap.put("admin", "admin");

diff --git a/...form-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CommentDeleteAction.java b/...form-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/CommentDeleteAction.java
@@ -0,0 +1,163 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package com.xpn.xwiki.web;
+
+import java.io.IOException;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import javax.inject.Singleton;
+import javax.script.ScriptContext;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xwiki.component.annotation.Component;
+import org.xwiki.model.reference.DocumentReference;
+
+import com.xpn.xwiki.XWiki;
+import com.xpn.xwiki.XWikiContext;
+import com.xpn.xwiki.XWikiException;
+import com.xpn.xwiki.doc.XWikiDocument;
+import com.xpn.xwiki.objects.BaseObject;
+
+import org.xwiki.user.CurrentUserReference;
+import org.xwiki.user.UserReference;
+import org.xwiki.user.UserReferenceResolver;
+
+/**
+ * Action used to remove a comment from a page, requires comment right but not edit right. Note that this class is
+ * largely inspired by ObjectRemoveAction and Comment
+ *
+ * @version $Id$
+ * @since 17.0.0RC1
+ */
+@Component
+@Named("commentdelete")
+@Singleton
+public class CommentDeleteAction extends XWikiAction
+{
+    private static final String FAIL_MESSAGE = "failed";
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(CommentDeleteAction.class);
+
+    @Inject
+    private UserReferenceResolver<CurrentUserReference> currentUserResolver;
+
+    @Override
+    protected Class<? extends XWikiForm> getFormClass()
+    {
+        return ObjectRemoveForm.class;
+    }
+
+    protected BaseObject getObject(XWikiDocument doc, XWikiContext context)
+    {
+        ObjectRemoveForm form = (ObjectRemoveForm) context.getForm();
+        BaseObject obj = null;
+
+        String className = form.getClassName();
+        int classId = form.getClassId();
+        String attributeName = "message";
+        if (StringUtils.isBlank(className)) {
+            getCurrentScriptContext().setAttribute(attributeName,
+                localizePlainOrReturnKey("platform.core.action.commentRemove.noClassnameSpecified"),
+                ScriptContext.ENGINE_SCOPE);
+        } else if (classId < 0) {
+            getCurrentScriptContext().setAttribute(attributeName,
+                localizePlainOrReturnKey("platform.core.action.commentRemove.noCommentSpecified"),
+                ScriptContext.ENGINE_SCOPE);
+        } else {
+            // Comment class reference
+            DocumentReference commentClass = new DocumentReference(context.getWikiId(), XWiki.SYSTEM_SPACE,
+                XWikiDocument.COMMENTSCLASS_REFERENCE.getName());
+            obj = doc.getXObject(commentClass, classId);
+            if (obj == null) {
+                getCurrentScriptContext().setAttribute(attributeName,
+                    localizePlainOrReturnKey("platform.core.action.commentRemove.invalidComment"),
+                    ScriptContext.ENGINE_SCOPE);
+            }
+        }
+        return obj;
+    }
+
+    @Override
+    public boolean action(XWikiContext context) throws XWikiException
+    {
+        // CSRF prevention
+        if (!csrfTokenCheck(context)) {
+            return false;
+        }
+
+        XWiki xwiki = context.getWiki();
+        XWikiResponse response = context.getResponse();
+        XWikiDocument doc = context.getDoc();
+        DocumentReference userReference = context.getUserReference();
+
+        // We need to clone this document first, since a cached storage would return the same object for the
+        // following requests, so concurrent request might get a partially modified object, or worse, if an error
+        // occurs during the save, the cached object will not reflect the actual document at all.
+        doc = doc.clone();
+
+        BaseObject obj = getObject(doc, context);
+        if (obj == null) {
+            return true;
+        }
+
+        doc.removeXObject(obj);
+        UserReference currentUserReference = this.currentUserResolver.resolve(CurrentUserReference.INSTANCE);
+        doc.getAuthors().setEffectiveMetadataAuthor(currentUserReference);
+
+        String changeComment = localizePlainOrReturnKey("core.comment.deleteComment");
+
+        // Make sure the user is allowed to make this modification
+        context.getWiki().checkSavingDocument(userReference, doc, changeComment, true, context);
+
+        xwiki.saveDocument(doc, changeComment, true, context);
+
+        if (Utils.isAjaxRequest(context)) {
+            response.setStatus(HttpServletResponse.SC_NO_CONTENT);
+            response.setContentLength(0);
+        } else {
+            // forward to edit
+            String redirect = Utils.getRedirect("edit", context);
+            sendRedirect(response, redirect);
+        }
+        return false;
+    }
+
+    @Override
+    public String render(XWikiContext context) throws XWikiException
+    {
+        if (Utils.isAjaxRequest(context)) {
+            XWikiResponse response = context.getResponse();
+            response.setStatus(HttpServletResponse.SC_CONFLICT);
+            response.setContentType("text/plain");
+            try {
+                response.getWriter().print(FAIL_MESSAGE);
+            } catch (IOException e) {
 LOGGER.error("Failed to send error response to AJAX save and continue request.", e); 
 LOGGER.error("Failed to send error response to AJAX save and continue request.", e); 
+                LOGGER.error("Failed to send error response to AJAX comment delete request.", e);
+            }
+            return null;
+        } else {
+            return "error";
+        }
+    }
+}
diff --git a/...tform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java b/...tform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/ObjectRemoveAction.java
@@ -27,6 +27,8 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.xwiki.component.annotation.Component;
 import org.xwiki.model.reference.DocumentReference;
 
@@ -41,6 +43,8 @@
 @Singleton
 public class ObjectRemoveAction extends XWikiAction
 {
+    private static final String FAIL_MESSAGE = "failed";
+    private static final Logger LOGGER = LoggerFactory.getLogger(ObjectRemoveAction.class);
     @Override
     protected Class<? extends XWikiForm> getFormClass()
     {
@@ -124,9 +128,9 @@ public String render(XWikiContext context) throws XWikiException
             response.setStatus(HttpServletResponse.SC_CONFLICT);
             response.setContentType("text/plain");
             try {
-                response.getWriter().write("failed");
-                response.setContentLength(6);
+                response.getWriter().print(FAIL_MESSAGE);
             } catch (IOException e) {
+                LOGGER.error("Failed to send error response to AJAX comment delete request.", e);
             }
             return null;
         } else {

diff --git a/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties b/...i-platform-core/xwiki-platform-oldcore/src/main/resources/ApplicationResources.properties
@@ -950,6 +950,7 @@ core.comment.tooltip=Enter a brief description of your changes
 core.comment.prompt=Enter a brief description of your changes
 core.comment.addComment=Added comment
 core.comment.editComment=Edited comment
+core.comment.deleteComment=Deleted comment
 core.comment.addObject=Added object
 core.comment.updateObject=Updated object
 core.comment.deleteObject=Deleted object
@@ -2187,6 +2188,9 @@ platform.core.invalidUrl=This is not a valid URL
 platform.core.action.objectRemove.noClassnameSpecified=No object type specified.
 platform.core.action.objectRemove.noObjectSpecified=No object specified.
 platform.core.action.objectRemove.invalidObject=Invalid object specified.
+platform.core.action.commentRemove.noClassnameSpecified=No object type specified.
+platform.core.action.commentRemove.noCommentSpecified=No comment specified.
+platform.core.action.commentRemove.invalidComment=Invalid comment specified.
 platform.core.action.deleteAttachment.noAttachment=This attachment does not exist.
 core.action.deleteAttachment.failed=Failed to delete attachment {0}
 core.action.upload.failure=Failed to upload {0,choice,0#files|1#one file|1<{0} files}.

diff --git a/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/META-INF/components.txt b/xwiki-platform-core/xwiki-platform-oldcore/src/main/resources/META-INF/components.txt
@@ -225,6 +225,7 @@ com.xpn.xwiki.web.AttachAction
 com.xpn.xwiki.web.CancelAction
 com.xpn.xwiki.web.CommentAddAction
 com.xpn.xwiki.web.CommentSaveAction
+com.xpn.xwiki.web.CommentDeleteAction
 com.xpn.xwiki.web.CreateAction
 com.xpn.xwiki.web.DeleteAction
 com.xpn.xwiki.web.DeleteAttachmentAction