ajung/plone.app.discussion
ajung/plone.app.discussion
0
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make sure the handleComment method checks for the 'Reply to item' permission when adding a comment.

Browse Source 
svn path=/plone.app.discussion/trunk/; revision=46212
This commit is contained in:
Timo Stollenwerk 2010-12-09 08:11:41 +00:00
parent c8e78449a2
commit 7e279d3ad3
3 changed files with 77 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES.txt
View File

@ -4,6 +4,10 @@ Changelog
1.0RC1 (unreleased) 1.0RC1 (unreleased)
------------------- -------------------
- Make sure the handleComment method checks for the 'Reply to item' permission
when adding a comment.
[timo]
- Make the mail-setting warning message show up in the discussion control panel. - Make the mail-setting warning message show up in the discussion control panel.
[timo] [timo]

15
plone/app/discussion/browser/comments.py
View File

@ -175,7 +175,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
comment.text = text comment.text = text
portal_membership = getToolByName(self.context, 'portal_membership') portal_membership = getToolByName(self.context, 'portal_membership')
can_reply = getSecurityManager().checkPermission('Reply to item',
context)
if portal_membership.isAnonymousUser() and \ if portal_membership.isAnonymousUser() and \
settings.anonymous_comments: settings.anonymous_comments:
# Anonymous Users # Anonymous Users
@ -184,7 +187,7 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
comment.author_email = author_email comment.author_email = author_email
comment.user_notification = user_notification comment.user_notification = user_notification
comment.creation_date = comment.modification_date = datetime.utcnow() comment.creation_date = comment.modification_date = datetime.utcnow()
elif not portal_membership.isAnonymousUser(): elif not portal_membership.isAnonymousUser() and can_reply:
# Member # Member
member = portal_membership.getAuthenticatedMember() member = portal_membership.getAuthenticatedMember()
username = member.getUserName() username = member.getUserName()
@ -204,8 +207,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
comment.user_notification = user_notification comment.user_notification = user_notification
comment.creation_date = comment.modification_date = datetime.utcnow() comment.creation_date = comment.modification_date = datetime.utcnow()
else: else:
raise Unauthorized, "Anonymous user tries to post a comment, but \ raise Unauthorized, \
anonymous commenting is disabled." # pragma: no cover """Anonymous user tries to post a comment, but
anonymous commenting is disabled. Or user
does not have the 'reply to item' permission.""" # pragma: no cover
# Check if the added comment is a reply to an existing comment # Check if the added comment is a reply to an existing comment
# or just a regular reply to the content object. # or just a regular reply to the content object.
@ -268,7 +273,7 @@ class CommentsViewlet(ViewletBase):
def can_reply(self): def can_reply(self):
"""Returns true if current user has the 'Reply to item' permission. """Returns true if current user has the 'Reply to item' permission.
""" """
return getSecurityManager().checkPermission('Reply to item', return getSecurityManager().checkPermission('Reply to item',
aq_inner(self.context)) aq_inner(self.context))

63
plone/app/discussion/tests/test_comments_viewlet.py
View File

@ -96,7 +96,70 @@ class TestCommentForm(PloneTestCase):
self.assertEquals(len(errors), 0) self.assertEquals(len(errors), 0)
self.failIf(commentForm.handleComment(commentForm, "foo")) self.failIf(commentForm.handleComment(commentForm, "foo"))
def test_add_comment_with_reply_to_item_permission(self):
"""Add a comment with the 'reply to item' permission only.
"""
membership = self.portal.portal_membership
membership.addMember('user', 'secret', [], [])
membership.addMember('replier', 'secret', ['Reply to item',], [])
from Products.CMFCore.permissions import setDefaultRoles
from Products.CMFCore import permissions
permissions.setDefaultRoles("Reply to item", ('Authenticated',))
# Allow discussion
self.dtool.overrideDiscussionFor(self.portal.doc1, True)
self.viewlet = CommentsViewlet(self.context, self.request, None, None)
def make_request(form={}):
request = TestRequest()
request.form.update(form)
alsoProvides(request, IFormLayer)
alsoProvides(request, IAttributeAnnotatable)
return request
provideAdapter(adapts=(Interface, IBrowserRequest),
provides=Interface,
factory=CommentForm,
name=u"comment-form")
self.logout()
self.login('user')
request = make_request(form={'form.widgets.text': u'bar'})
commentForm = getMultiAdapter((self.context, request),
name=u"comment-form")
commentForm.update()
data, errors = commentForm.extractData() # pylint: disable-msg=W0612
# Sumitting a form as user without the 'reply to item' permission
# raises an unauthorized error.
self.assertEquals(len(errors), 0)
self.assertRaises(Unauthorized,
commentForm.handleComment,
commentForm,
"foo")
self.logout()
self.login('replier')
request = make_request(form={'form.widgets.text': u'bar'})
commentForm = getMultiAdapter((self.context, request),
name=u"comment-form")
commentForm.update()
data, errors = commentForm.extractData() # pylint: disable-msg=W0612
# Sumitting a form as user without the 'reply to item' permission
# raises an unauthorized error.
self.assertEquals(len(errors), 0)
#from AccessControl import getSecurityManager
#getSecurityManager().checkPermission('View', self.context)
#self.failIf(commentForm.handleComment(commentForm, "foo"))
def test_add_anonymous_comment(self): def test_add_anonymous_comment(self):
"""Add a comment as anonymous. """Add a comment as anonymous.
""" """