ajung/plone.app.discussion
ajung/plone.app.discussion
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure the handleComment method checks for the 'Reply to item' permission when adding a comment.

Browse Source 
svn path=/plone.app.discussion/trunk/; revision=46212
This commit is contained in:
Timo Stollenwerk 2010-12-09 08:11:41 +00:00
parent c8e78449a2
commit 7e279d3ad3
3 changed files with 77 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES.txt
View File

@ -4,6 +4,10 @@ Changelog
1.0RC1 (unreleased) 1.0RC1 (unreleased)
------------------- -------------------
- Make sure the handleComment method checks for the 'Reply to item' permission
when adding a comment.
[timo]
- Make the mail-setting warning message show up in the discussion control panel. - Make the mail-setting warning message show up in the discussion control panel.
[timo] [timo]

11
plone/app/discussion/browser/comments.py
View File

@ -176,6 +176,9 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
portal_membership = getToolByName(self.context, 'portal_membership') portal_membership = getToolByName(self.context, 'portal_membership')
can_reply = getSecurityManager().checkPermission('Reply to item',
context)
if portal_membership.isAnonymousUser() and \ if portal_membership.isAnonymousUser() and \
settings.anonymous_comments: settings.anonymous_comments:
# Anonymous Users # Anonymous Users
@ -184,7 +187,7 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
comment.author_email = author_email comment.author_email = author_email
comment.user_notification = user_notification comment.user_notification = user_notification
comment.creation_date = comment.modification_date = datetime.utcnow() comment.creation_date = comment.modification_date = datetime.utcnow()
elif not portal_membership.isAnonymousUser(): elif not portal_membership.isAnonymousUser() and can_reply:
# Member # Member
member = portal_membership.getAuthenticatedMember() member = portal_membership.getAuthenticatedMember()
username = member.getUserName() username = member.getUserName()
@ -204,8 +207,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
comment.user_notification = user_notification comment.user_notification = user_notification
comment.creation_date = comment.modification_date = datetime.utcnow() comment.creation_date = comment.modification_date = datetime.utcnow()
else: else:
raise Unauthorized, "Anonymous user tries to post a comment, but \ raise Unauthorized, \
anonymous commenting is disabled." # pragma: no cover """Anonymous user tries to post a comment, but
anonymous commenting is disabled. Or user
does not have the 'reply to item' permission.""" # pragma: no cover
# Check if the added comment is a reply to an existing comment # Check if the added comment is a reply to an existing comment
# or just a regular reply to the content object. # or just a regular reply to the content object.

63
plone/app/discussion/tests/test_comments_viewlet.py
View File

@ -96,6 +96,69 @@ class TestCommentForm(PloneTestCase):
self.assertEquals(len(errors), 0) self.assertEquals(len(errors), 0)
self.failIf(commentForm.handleComment(commentForm, "foo")) self.failIf(commentForm.handleComment(commentForm, "foo"))
def test_add_comment_with_reply_to_item_permission(self):
"""Add a comment with the 'reply to item' permission only.
"""
membership = self.portal.portal_membership
membership.addMember('user', 'secret', [], [])
membership.addMember('replier', 'secret', ['Reply to item',], [])
from Products.CMFCore.permissions import setDefaultRoles
from Products.CMFCore import permissions
permissions.setDefaultRoles("Reply to item", ('Authenticated',))
# Allow discussion
self.dtool.overrideDiscussionFor(self.portal.doc1, True)
self.viewlet = CommentsViewlet(self.context, self.request, None, None)
def make_request(form={}):
request = TestRequest()
request.form.update(form)
alsoProvides(request, IFormLayer)
alsoProvides(request, IAttributeAnnotatable)
return request
provideAdapter(adapts=(Interface, IBrowserRequest),
provides=Interface,
factory=CommentForm,
name=u"comment-form")
self.logout()
self.login('user')
request = make_request(form={'form.widgets.text': u'bar'})
commentForm = getMultiAdapter((self.context, request),
name=u"comment-form")
commentForm.update()
data, errors = commentForm.extractData() # pylint: disable-msg=W0612
# Sumitting a form as user without the 'reply to item' permission
# raises an unauthorized error.
self.assertEquals(len(errors), 0)
self.assertRaises(Unauthorized,
commentForm.handleComment,
commentForm,
"foo")
self.logout()
self.login('replier')
request = make_request(form={'form.widgets.text': u'bar'})
commentForm = getMultiAdapter((self.context, request),
name=u"comment-form")
commentForm.update()
data, errors = commentForm.extractData() # pylint: disable-msg=W0612
# Sumitting a form as user without the 'reply to item' permission
# raises an unauthorized error.
self.assertEquals(len(errors), 0)
#from AccessControl import getSecurityManager
#getSecurityManager().checkPermission('View', self.context)
#self.failIf(commentForm.handleComment(commentForm, "foo"))
def test_add_anonymous_comment(self): def test_add_anonymous_comment(self):
"""Add a comment as anonymous. """Add a comment as anonymous.