Rewrote all tal:condition in comments.pt. The authenticated user has

the reply button and the comment form if he has the "Reply to item"
permission and the conversation is currently enabled.

Warning:
There is a security hole at the moment. Any authenticated user having the
zope2.View permission or anonymous user without captcha can add a comment
by creating a post request.

svn path=/plone.app.discussion/trunk/; revision=38888

plone/app/discussion/browser/comments.pt

@@ -25,7 +25,7 @@
 
     <div class="discussion"
          tal:attributes="class python: showCommenterImage and 'discussion showCommenterImage' or 'discussion';"
-         tal:condition="python:replies or (userHasReplyPermission and isDiscussionAllowed) or (isAnon and not userHasReplyPermission and isDiscussionAllowed)">
+         tal:condition="has_replies">
         <tal:getreplies repeat="reply_dict replies">
 
             <div class="comment"
@@ -85,7 +85,7 @@
 
                 <div class="commentActions">
                     <button class="context reply-to-comment-button hide allowMultiSubmit"
-                            tal:condition="python:userHasReplyPermission and isDiscussionAllowed or isAnonymousDiscussionAllowed"
+                            tal:condition="python:isDiscussionAllowed and (isAnon and isAnonymousDiscussionAllowed or userHasReplyPermission)"
                             i18n:translate="label_reply">
                         Reply
                     </button>
@@ -94,7 +94,7 @@
                           action=""
                           method="post"
                           style="display: inline;"
-                          tal:condition="view/can_manage"
+                          tal:condition="canManage"
                           tal:attributes="action string:${reply/absolute_url}/@@moderate-delete-comment">
                         <input name="form.button.DeleteComment"
                                class="destructive"
@@ -109,6 +109,7 @@
                           action=""
                           method="get"
                           style="display: inline;"
+                          tal:condition="canManage"
                           tal:repeat="action reply_dict/actions|nothing"
                           tal:attributes="action string:${reply/absolute_url}/@@moderate-publish-comment;
                                           name action/id">
@@ -129,7 +130,7 @@
     </div>
 
     <div class="reply"
-         tal:condition="python: isAnon and not isAnonymousDiscussionAllowed and has_replies">
+         tal:condition="python:isDiscussionAllowed and (isAnon and not isAnonymousDiscussionAllowed)">
         <form tal:attributes="action view/login_action">
             <input class="standalone"
                    style="margin-bottom: 1.25em;"
@@ -140,7 +141,7 @@
         </form>
     </div>
 
-    <div id="commenting" class="reply" tal:condition="python: isAnon and isAnonymousDiscussionAllowed or not isAnon">
+    <div id="commenting" class="reply" tal:condition="python:isDiscussionAllowed and (isAnon and isAnonymousDiscussionAllowed or userHasReplyPermission)">
 
         <fieldset>
 

plone/app/discussion/browser/comments.py

@@ -223,7 +223,7 @@ class CommentsViewlet(ViewletBase):
     def has_replies(self, workflow_actions=False):
         """Returns true if there are replies.
         """
-        if self.get_replies(workflow_actions):
+        if self.get_replies(workflow_actions) is not None:
             try:
                 self.get_replies(workflow_actions).next()
                 return True