Use proper menu router paths for comment/*

Applied previous patch and made changes as described. Left comment/node/%node as is for now.

Subscribing.. will try to review in a bit.

The last submitted patch failed testing.

Reviewing now (and will try to fix the test while I review, unless someone else is).

Let's try this again. Fixed comment_approve as it used to accept $cid as its argument, and should now be passed the $comment object. Also changed all items to local tasks and weighted them.

Not sure what is the best order for the local tasks but the order I chose is View | Edit | Approve | Delete

Looks good to me, although:

The if ($comment) part is no longer necessary anymore since the menu system will take care of never even hitting this callback function in the case where the comment doesn't exist. So, this function can actually be simplified (similar to how the patch simplifies the callback for comment deletion).

One other thing - the immediate effect of this patch is pretty odd (see attached screenshot). However, we can probably let that slide since #473268: D7UX: Put edit links on everything would automatically take care of fixing it :)

Should be 'Approve comment' to be consistent with the other links. See also David's screenshot in the previous comment.

For consistency with the node system and all the rest of Drupal, it should actually be just 'Edit', 'Approve', 'Delete' instead of 'Edit comment', 'Approve comment' and 'Delete comment'.

Otherwise, this patch looks very straightforward.

Code looks good to me. Nice bonus that comment_delete_page() is no longer needed. I expect regression failures (like in forum.module), but those can be fixed once bot reports them.

Re-roll per #7 (removing all if/else logic from comment_approve) and #8 (Clean up titles of local tasks).

whoops, I guess I should wait for someone else to mark it as RTBC. ;)

Very nice job, q0rban!

Looks great. Committed!

This introduced a CSRF vulnerability. Some douchebag can put <img src="http://localhost/core/comment/1/approve" /> in their comment.

We need a confirm form around the approval link.

Also, we should give this local task a proper access callback. "Approve" should only show up if the comment is unpublished. The link does this, the local task does not.

Tagging.

csrf for menu-links #144538: Image with /logout URL as source and depends on #204077: Allow menu links pointing to dynamic paths

Not sure whether this works, but it should do at least 90% of what's needed.

And, I think I already mentioned elsewhere that this wasn't really introduced by this patch... so not sure whether it's superior to discuss this publicly, but anyway.

The last submitted patch failed testing.

Yeah, the CSRF vulnerability was not introduced by this patch - I think all this patch did was change the URL at which it happens :) It looks like it was introduced (in Drupal 7 only) via #66264: Remove CSRF vulnerability from comment module and a fix is already being worked on there.

In this issue, however, we still have two followup bugs visible in the screenshot from #7:

1. The title of the page should not be "Comment permalink".
2. It's not really clear that we want all these things showing up as visible local tasks, which was a side effect of the committed patch... we don't (currently) do that with most delete links in Drupal, for example.

We also need to roll back using %node menu loaders for edit and delete links I think, since that prevents using contextual links without generating a database query per path (due to menu access checks).

@catch: The loaded %node as well as %comment should be cached. Both need to rely on node access grants.

Doh, mis-typed. %node is of course , but %comment has no static caching at all, see #611590: Statically cache comments for the other option.