2 files changed, 12 insertions, 2 deletions

diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php
index bb8aeb55..1bf1a9e2 100644
--- a/modules/comment/controllers/comments.php
+++ b/modules/comment/controllers/comments.php
@@ -84,6 +84,12 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_show($resource)
    */
   public function _show($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("view", $item);
+    if ($comment->state != "published") {
+      return;
+    }
+
     if (rest::output_format() == "json") {
       print json_encode(
         array("result" => "success",
@@ -100,6 +106,8 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_update($resource)
    */
   public function _update($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("edit", $item);
 
     $form = comment::get_edit_form($comment);
     if ($form->validate()) {
@@ -124,6 +132,8 @@ class Comments_Controller extends REST_Controller {
    *  @see REST_Controller::_delete($resource)
    */
   public function _delete($comment) {
+    $item = ORM::factory("item", $comment->item_id);
+    access::required("edit", $item);
 
     $comment->delete();
     print json_encode(array("result" => "success"));
@@ -133,7 +143,7 @@ class Comments_Controller extends REST_Controller {
    * Present a form for adding a new comment to this item or editing an existing comment.
    *  @see REST_Controller::form_add($resource)
    */
-  public function _form_add($item) {
+  public function _form_add($item_id) {
     $item = ORM::factory("item", $item_id);
     access::required("view", $item);
 
diff --git a/modules/comment/models/comment.php b/modules/comment/models/comment.php
index 4c4a8729..323356b4 100644
--- a/modules/comment/models/comment.php
+++ b/modules/comment/models/comment.php
@@ -20,7 +20,7 @@
 class Comment_Model extends ORM {
   var $rules = array(
     "author" => "required",
-    "email" => "required|valid_email",
+    "email" => "valid_email",
     "url" => "valid_url",
     "text" => "required");
 }