diff --git a/CHANGES.txt b/CHANGES.txt index c1f8ebf..e1fbfd5 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -4,6 +4,10 @@ Changelog 1.0RC1 (unreleased) ------------------- +- Make sure the handleComment method checks for the 'Reply to item' permission + when adding a comment. + [timo] + - Make the mail-setting warning message show up in the discussion control panel. [timo] diff --git a/plone/app/discussion/browser/comments.py b/plone/app/discussion/browser/comments.py index ad10eed..16f4c95 100644 --- a/plone/app/discussion/browser/comments.py +++ b/plone/app/discussion/browser/comments.py @@ -175,7 +175,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form): comment.text = text portal_membership = getToolByName(self.context, 'portal_membership') - + + can_reply = getSecurityManager().checkPermission('Reply to item', + context) + if portal_membership.isAnonymousUser() and \ settings.anonymous_comments: # Anonymous Users @@ -184,7 +187,7 @@ class CommentForm(extensible.ExtensibleForm, form.Form): comment.author_email = author_email comment.user_notification = user_notification comment.creation_date = comment.modification_date = datetime.utcnow() - elif not portal_membership.isAnonymousUser(): + elif not portal_membership.isAnonymousUser() and can_reply: # Member member = portal_membership.getAuthenticatedMember() username = member.getUserName() @@ -204,8 +207,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form): comment.user_notification = user_notification comment.creation_date = comment.modification_date = datetime.utcnow() else: - raise Unauthorized, "Anonymous user tries to post a comment, but \ - anonymous commenting is disabled." # pragma: no cover + raise Unauthorized, \ + """Anonymous user tries to post a comment, but + anonymous commenting is disabled. Or user + does not have the 'reply to item' permission.""" # pragma: no cover # Check if the added comment is a reply to an existing comment # or just a regular reply to the content object. @@ -268,7 +273,7 @@ class CommentsViewlet(ViewletBase): def can_reply(self): """Returns true if current user has the 'Reply to item' permission. - """ + """ return getSecurityManager().checkPermission('Reply to item', aq_inner(self.context)) diff --git a/plone/app/discussion/tests/test_comments_viewlet.py b/plone/app/discussion/tests/test_comments_viewlet.py index e5b1875..7075670 100644 --- a/plone/app/discussion/tests/test_comments_viewlet.py +++ b/plone/app/discussion/tests/test_comments_viewlet.py @@ -96,7 +96,70 @@ class TestCommentForm(PloneTestCase): self.assertEquals(len(errors), 0) self.failIf(commentForm.handleComment(commentForm, "foo")) + def test_add_comment_with_reply_to_item_permission(self): + """Add a comment with the 'reply to item' permission only. + """ + + membership = self.portal.portal_membership + membership.addMember('user', 'secret', [], []) + membership.addMember('replier', 'secret', ['Reply to item',], []) + from Products.CMFCore.permissions import setDefaultRoles + from Products.CMFCore import permissions + permissions.setDefaultRoles("Reply to item", ('Authenticated',)) + + # Allow discussion + self.dtool.overrideDiscussionFor(self.portal.doc1, True) + self.viewlet = CommentsViewlet(self.context, self.request, None, None) + def make_request(form={}): + request = TestRequest() + request.form.update(form) + alsoProvides(request, IFormLayer) + alsoProvides(request, IAttributeAnnotatable) + return request + + provideAdapter(adapts=(Interface, IBrowserRequest), + provides=Interface, + factory=CommentForm, + name=u"comment-form") + + + self.logout() + self.login('user') + + request = make_request(form={'form.widgets.text': u'bar'}) + commentForm = getMultiAdapter((self.context, request), + name=u"comment-form") + commentForm.update() + data, errors = commentForm.extractData() # pylint: disable-msg=W0612 + + # Sumitting a form as user without the 'reply to item' permission + # raises an unauthorized error. + self.assertEquals(len(errors), 0) + self.assertRaises(Unauthorized, + commentForm.handleComment, + commentForm, + "foo") + + + self.logout() + self.login('replier') + + request = make_request(form={'form.widgets.text': u'bar'}) + commentForm = getMultiAdapter((self.context, request), + name=u"comment-form") + commentForm.update() + data, errors = commentForm.extractData() # pylint: disable-msg=W0612 + + # Sumitting a form as user without the 'reply to item' permission + # raises an unauthorized error. + self.assertEquals(len(errors), 0) + + #from AccessControl import getSecurityManager + #getSecurityManager().checkPermission('View', self.context) + #self.failIf(commentForm.handleComment(commentForm, "foo")) + + def test_add_anonymous_comment(self): """Add a comment as anonymous. """