Properly check comment permissions. Don't show comments that aren't

published.  Fix _form_add to take an item id.  Oh and email address is
no longer required.

1 files changed, 11 insertions, 1 deletions

diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index bb8aeb55..1bf1a9e2 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -84,6 +84,12 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_show($resource)
    */
   public function _show($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("view", $item);
+    if ($comment->state != "published") {
+      return;
+    }
+
     if (rest::output_format() == "json") {
       print json_encode(
         array("result" => "success",
@@ -100,6 +106,8 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_update($resource)
    */
   public function _update($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("edit", $item);
 
     $form = comment::get_edit_form($comment);
     if ($form->validate()) {
@@ -124,6 +132,8 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_delete($resource)
    */
   public function _delete($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("edit", $item);
 
     $comment->delete();
     print json_encode(array("result" => "success"));
@@ -133,7 +143,7 @@ class Comments_Controller extends REST_Controller {
    * Present a form for adding a new comment to this item or editing an existing comment.
    *  @see REST_Controller::form_add($resource)
    */
-  public function _form_add($item) {
+  public function _form_add($item_id) {
     $item = ORM::factory("item", $item_id);
     access::required("view", $item);