diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2009-01-07 08:18:15 +0000 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2009-01-07 08:18:15 +0000 |
| commit | 17c8e14753953dc3277d28e8e336f0b15201031d (patch) | |
| tree | eb5bbf30aa14d1e18ddf566959dc0421b93ca567 | |
| parent | 9460e08da87b9978e3e078e1ebf4c33705e060f3 (diff) | |
Properly check comment permissions. Don't show comments that aren't
published. Fix _form_add to take an item id. Oh and email address is
no longer required.
| -rw-r--r-- | modules/comment/controllers/comments.php | 12 | ||||
| -rw-r--r-- | modules/comment/models/comment.php | 2 |
2 files changed, 12 insertions, 2 deletions
diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index bb8aeb55..1bf1a9e2 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -84,6 +84,12 @@ class Comments_Controller extends REST_Controller { * @see REST_Controller::_show($resource) */ public function _show($comment) { + $item = ORM::factory("item", $comment->item_id); + access::required("view", $item); + if ($comment->state != "published") { + return; + } + if (rest::output_format() == "json") { print json_encode( array("result" => "success", @@ -100,6 +106,8 @@ class Comments_Controller extends REST_Controller { * @see REST_Controller::_update($resource) */ public function _update($comment) { + $item = ORM::factory("item", $comment->item_id); + access::required("edit", $item); $form = comment::get_edit_form($comment); if ($form->validate()) { @@ -124,6 +132,8 @@ class Comments_Controller extends REST_Controller { * @see REST_Controller::_delete($resource) */ public function _delete($comment) { + $item = ORM::factory("item", $comment->item_id); + access::required("edit", $item); $comment->delete(); print json_encode(array("result" => "success")); @@ -133,7 +143,7 @@ class Comments_Controller extends REST_Controller { * Present a form for adding a new comment to this item or editing an existing comment. * @see REST_Controller::form_add($resource) */ - public function _form_add($item) { + public function _form_add($item_id) { $item = ORM::factory("item", $item_id); access::required("view", $item); diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php index 4c4a8729..323356b4 100644 --- a/modules/comment/models/comment.php +++ b/modules/comment/models/comment.php @@ -20,7 +20,7 @@ class Comment_Model extends ORM { var $rules = array( "author" => "required", - "email" => "required|valid_email", + "email" => "valid_email", "url" => "valid_url", "text" => "required"); } |