#55622, Security threat -- any user can delete comments, patch by robertgarrigos

modules/comment.module

@@ -120,12 +120,13 @@ function comment_menu($may_cache) {
 
     $items[] = array('path' => 'admin/comment/configure/settings', 'title' => t('settings'),
       'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+      
+    $items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
+      'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
 
     $access = user_access('post comments');
     $items[] = array('path' => 'comment/edit', 'title' => t('edit comment'),
       'callback' => 'comment_edit', 'access' => $access, 'type' => MENU_CALLBACK);
-    $items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
-      'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
   }
   else {
     if (arg(0) == 'comment' && arg(1) == 'reply' && is_numeric(arg(2))) {

modules/comment/comment.module

@@ -120,12 +120,13 @@ function comment_menu($may_cache) {
 
     $items[] = array('path' => 'admin/comment/configure/settings', 'title' => t('settings'),
       'type' => MENU_DEFAULT_LOCAL_TASK, 'weight' => -10);
+      
+    $items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
+      'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
 
     $access = user_access('post comments');
     $items[] = array('path' => 'comment/edit', 'title' => t('edit comment'),
       'callback' => 'comment_edit', 'access' => $access, 'type' => MENU_CALLBACK);
-    $items[] = array('path' => 'comment/delete', 'title' => t('delete comment'),
-      'callback' => 'comment_delete', 'access' => $access, 'type' => MENU_CALLBACK);
   }
   else {
     if (arg(0) == 'comment' && arg(1) == 'reply' && is_numeric(arg(2))) {