Rewrote all tal:condition in comments.pt. The authenticated user has

the reply button and the comment form if he has the "Reply to item" permission and the conversation is currently enabled. Warning: There is a security hole at the moment. Any authenticated user having the zope2.View permission or anonymous user without captcha can add a comment by creating a post request. svn path=/plone.app.discussion/trunk/; revision=38888
2010-08-24 11:25:17 +00:00 · 2010-08-24 11:25:17 +00:00 · 17fce9d515
parent 1579064ee6
commit 17fce9d515
2 changed files with 7 additions and 6 deletions
--- a/plone/app/discussion/browser/comments.pt
+++ b/plone/app/discussion/browser/comments.pt
@ -25,7 +25,7 @@

    <div class="discussion"
         tal:attributes="class python: showCommenterImage and 'discussion showCommenterImage' or 'discussion';"
-         tal:condition="python:replies or (userHasReplyPermission and isDiscussionAllowed) or (isAnon and not userHasReplyPermission and isDiscussionAllowed)">
+         tal:condition="has_replies">
        <tal:getreplies repeat="reply_dict replies">

            <div class="comment"
@ -85,7 +85,7 @@

                <div class="commentActions">
                    <button class="context reply-to-comment-button hide allowMultiSubmit"
-                            tal:condition="python:userHasReplyPermission and isDiscussionAllowed or isAnonymousDiscussionAllowed"
+                            tal:condition="python:isDiscussionAllowed and (isAnon and isAnonymousDiscussionAllowed or userHasReplyPermission)"
                            i18n:translate="label_reply">
                        Reply
                    </button>
@ -94,7 +94,7 @@
                          action=""
                          method="post"
                          style="display: inline;"
-                          tal:condition="view/can_manage"
+                          tal:condition="canManage"
                          tal:attributes="action string:${reply/absolute_url}/@@moderate-delete-comment">
                        <input name="form.button.DeleteComment"
                               class="destructive"
@ -109,6 +109,7 @@
                          action=""
                          method="get"
                          style="display: inline;"
+                          tal:condition="canManage"
                          tal:repeat="action reply_dict/actions|nothing"
                          tal:attributes="action string:${reply/absolute_url}/@@moderate-publish-comment;
                                          name action/id">
@ -129,7 +130,7 @@
    </div>

    <div class="reply"
-         tal:condition="python: isAnon and not isAnonymousDiscussionAllowed and has_replies">
+         tal:condition="python:isDiscussionAllowed and (isAnon and not isAnonymousDiscussionAllowed)">
        <form tal:attributes="action view/login_action">
            <input class="standalone"
                   style="margin-bottom: 1.25em;"
@ -140,7 +141,7 @@
        </form>
    </div>

-    <div id="commenting" class="reply" tal:condition="python: isAnon and isAnonymousDiscussionAllowed or not isAnon">
+    <div id="commenting" class="reply" tal:condition="python:isDiscussionAllowed and (isAnon and isAnonymousDiscussionAllowed or userHasReplyPermission)">

        <fieldset>

--- a/plone/app/discussion/browser/comments.py
+++ b/plone/app/discussion/browser/comments.py
@ -223,7 +223,7 @@ class CommentsViewlet(ViewletBase):
    def has_replies(self, workflow_actions=False):
        """Returns true if there are replies.
        """
-        if self.get_replies(workflow_actions):
+        if self.get_replies(workflow_actions) is not None:
            try:
                self.get_replies(workflow_actions).next()
                return True