Major The comments DB table doesn't have a component in it only a comment area:
moodle=# select * from m24_comments;
|
id | contextid | commentarea | itemid | content | format | userid | timecreated
|
----+-----------+----------------+--------+---------+--------+--------+-------------
|
2 | 15 | page_comments | 0 | test | 0 | 2 | 1355903721
|
3 | 15 | page_comments | 0 | Blah! | 0 | 2 | 1355966525
|
4 | 34 | database_entry | 2 | test | 0 | 2 | 1355967009
|
(3 rows)
|
As far as I can see, there is no way to get from that commentarea back to a component, therefore there is no way to validate the permisisons. See for example:
private function check_permissions() {
|
$this->postcap = has_capability('moodle/comment:post', $this->context);
|
$this->viewcap = has_capability('moodle/comment:view', $this->context);
|
if (!empty($this->plugintype)) {
|
$permissions = plugin_callback($this->plugintype, $this->pluginname, 'comment', 'permissions', array($this->comment_param), array('post'=>false, 'view'=>false));
|
$this->postcap = $this->postcap && $permissions['post'];
|
$this->viewcap = $this->viewcap && $permissions['view'];
|
}
|
}
|
It looks to me that this plugintype only comes from the HTML and is not validated at all. So for example you could switch to the validation for a mod_assign comment to block_comment validation. You could probably also manipulate the html to view other peoples comments.
