diff options
| author | andyst <andy.st@gmail.com> | 2009-06-01 23:45:37 -0700 |
|---|---|---|
| committer | andyst <andy.st@gmail.com> | 2009-06-01 23:45:37 -0700 |
| commit | 02a840c84cada5a1c0cc0768f350424460310e5d (patch) | |
| tree | 6a35d4afddcf291327a4ff42245bca17328084ae /modules/comment/controllers | |
| parent | d0845aadc629cf10b8eee490a651c039750a1430 (diff) | |
| parent | 3b6567f38c206f1302c7b22d94d5eae4b458311a (diff) | |
Merge branch 'master' of git@github.com:gallery/gallery3
Diffstat (limited to 'modules/comment/controllers')
| -rw-r--r-- | modules/comment/controllers/admin_comments.php | 2 | ||||
| -rw-r--r-- | modules/comment/controllers/comments.php | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/modules/comment/controllers/admin_comments.php b/modules/comment/controllers/admin_comments.php index 50e35d23..3e8d3c46 100644 --- a/modules/comment/controllers/admin_comments.php +++ b/modules/comment/controllers/admin_comments.php @@ -107,6 +107,7 @@ class Admin_Comments_Controller extends Admin_Controller { public function set_state($id, $state) { access::verify_csrf(); + $comment = ORM::factory("comment", $id); $orig = clone $comment; if ($comment->loaded) { @@ -121,6 +122,7 @@ class Admin_Comments_Controller extends Admin_Controller { public function delete_all_spam() { access::verify_csrf(); + ORM::factory("comment") ->where("state", "spam") ->delete_all(); diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 930579ac..c48bd380 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -134,6 +134,7 @@ class Comments_Controller extends REST_Controller { */ public function _update($comment) { $item = ORM::factory("item", $comment->item_id); + access::required("view", $item); access::required("edit", $item); $form = comment::get_edit_form($comment); @@ -161,6 +162,7 @@ class Comments_Controller extends REST_Controller { */ public function _delete($comment) { $item = ORM::factory("item", $comment->item_id); + access::required("view", $item); access::required("edit", $item); $comment->delete(); @@ -183,6 +185,9 @@ class Comments_Controller extends REST_Controller { * @see REST_Controller::form_edit($resource) */ public function _form_edit($comment) { + if (!user::active()->admin) { + access::forbidden(); + } print comment::get_edit_form($comment); } } |