Make sure the handleComment method checks for the 'Reply to item' permission when adding a comment.

svn path=/plone.app.discussion/trunk/; revision=46212

CHANGES.txt

@@ -4,6 +4,10 @@ Changelog
 1.0RC1 (unreleased)
 -------------------
 
+- Make sure the handleComment method checks for the 'Reply to item' permission 
+  when adding a comment.
+  [timo]
+
 - Make the mail-setting warning message show up in the discussion control panel.
   [timo]
   

plone/app/discussion/browser/comments.py

@@ -175,7 +175,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
         comment.text = text
 
         portal_membership = getToolByName(self.context, 'portal_membership')
-
+        
+        can_reply = getSecurityManager().checkPermission('Reply to item',
+                                                         context)
+        
         if portal_membership.isAnonymousUser() and \
         settings.anonymous_comments:
             # Anonymous Users
@@ -184,7 +187,7 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
             comment.author_email = author_email
             comment.user_notification = user_notification
             comment.creation_date = comment.modification_date = datetime.utcnow()
-        elif not portal_membership.isAnonymousUser():
+        elif not portal_membership.isAnonymousUser() and can_reply:
             # Member
             member = portal_membership.getAuthenticatedMember()
             username = member.getUserName()
@@ -204,8 +207,10 @@ class CommentForm(extensible.ExtensibleForm, form.Form):
             comment.user_notification = user_notification
             comment.creation_date = comment.modification_date = datetime.utcnow()
         else:
-            raise Unauthorized, "Anonymous user tries to post a comment, but \
-                                 anonymous commenting is disabled." # pragma: no cover
+            raise Unauthorized, \
+                  """Anonymous user tries to post a comment, but
+                     anonymous commenting is disabled. Or user
+                     does not have the 'reply to item' permission.""" # pragma: no cover
         
         # Check if the added comment is a reply to an existing comment
         # or just a regular reply to the content object.
@@ -268,7 +273,7 @@ class CommentsViewlet(ViewletBase):
     
     def can_reply(self):
         """Returns true if current user has the 'Reply to item' permission.
-        """        
+        """
         return getSecurityManager().checkPermission('Reply to item', 
                                                     aq_inner(self.context))
 

plone/app/discussion/tests/test_comments_viewlet.py

@@ -96,7 +96,70 @@ class TestCommentForm(PloneTestCase):
         self.assertEquals(len(errors), 0)
         self.failIf(commentForm.handleComment(commentForm, "foo"))
         
+    def test_add_comment_with_reply_to_item_permission(self):
+        """Add a comment with the 'reply to item' permission only.
+        """
+        
+        membership = self.portal.portal_membership
+        membership.addMember('user', 'secret', [], [])
+        membership.addMember('replier', 'secret', ['Reply to item',], [])
+        from Products.CMFCore.permissions import setDefaultRoles
+        from Products.CMFCore import permissions
+        permissions.setDefaultRoles("Reply to item", ('Authenticated',))
+        
+        # Allow discussion
+        self.dtool.overrideDiscussionFor(self.portal.doc1, True)
+        self.viewlet = CommentsViewlet(self.context, self.request, None, None)
 
+        def make_request(form={}):
+            request = TestRequest()
+            request.form.update(form)
+            alsoProvides(request, IFormLayer)
+            alsoProvides(request, IAttributeAnnotatable)
+            return request
+        
+        provideAdapter(adapts=(Interface, IBrowserRequest),
+                       provides=Interface,
+                       factory=CommentForm,
+                       name=u"comment-form")
+
+        
+        self.logout()
+        self.login('user')
+        
+        request = make_request(form={'form.widgets.text': u'bar'})
+        commentForm = getMultiAdapter((self.context, request), 
+                                      name=u"comment-form")
+        commentForm.update()
+        data, errors = commentForm.extractData() # pylint: disable-msg=W0612
+
+        # Sumitting a form as user without the 'reply to item' permission
+        # raises an unauthorized error.
+        self.assertEquals(len(errors), 0)
+        self.assertRaises(Unauthorized,
+                          commentForm.handleComment,
+                          commentForm,
+                          "foo")
+
+
+        self.logout()
+        self.login('replier')
+        
+        request = make_request(form={'form.widgets.text': u'bar'})
+        commentForm = getMultiAdapter((self.context, request), 
+                                      name=u"comment-form")
+        commentForm.update()
+        data, errors = commentForm.extractData() # pylint: disable-msg=W0612
+
+        # Sumitting a form as user without the 'reply to item' permission
+        # raises an unauthorized error.
+        self.assertEquals(len(errors), 0)
+        
+        #from AccessControl import getSecurityManager
+        #getSecurityManager().checkPermission('View', self.context)
+        #self.failIf(commentForm.handleComment(commentForm, "foo"))
+                
+        
     def test_add_anonymous_comment(self):
         """Add a comment as anonymous.
         """