From ad9cd8be8ec624481120cd016071fcca87a6a523 Mon Sep 17 00:00:00 2001 From: Lance Edgar Date: Wed, 10 Feb 2016 22:17:49 -0600 Subject: [PATCH] Protect message reply functions with 'create' permission. --- tailbone/templates/messages/view.mako | 6 ++++-- tailbone/views/messages.py | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/tailbone/templates/messages/view.mako b/tailbone/templates/messages/view.mako index 5dfbfb1d..3c4b90a5 100644 --- a/tailbone/templates/messages/view.mako +++ b/tailbone/templates/messages/view.mako @@ -43,8 +43,10 @@ <%def name="message_tools()"> % if recipient:
- ${h.link_to("Reply", url('messages.reply', uuid=instance.uuid), class_='button')} - ${h.link_to("Reply to All", url('messages.reply_all', uuid=instance.uuid), class_='button')} + % if request.has_perm('messages.create'): + ${h.link_to("Reply", url('messages.reply', uuid=instance.uuid), class_='button')} + ${h.link_to("Reply to All", url('messages.reply_all', uuid=instance.uuid), class_='button')} + % endif % if recipient.status == rattail.enum.MESSAGE_STATUS_INBOX: ${h.link_to("Move to Archive", url('messages.move', uuid=instance.uuid) + '?dest=archive', class_='button')} % else: diff --git a/tailbone/views/messages.py b/tailbone/views/messages.py index 5fb147a9..790556e0 100644 --- a/tailbone/views/messages.py +++ b/tailbone/views/messages.py @@ -333,11 +333,13 @@ class MessagesView(MasterView): # reply config.add_route('messages.reply', '/messages/{uuid}/reply') - config.add_view(cls, attr='reply', route_name='messages.reply') + config.add_view(cls, attr='reply', route_name='messages.reply', + permission='messages.create') # reply-all config.add_route('messages.reply_all', '/messages/{uuid}/reply-all') - config.add_view(cls, attr='reply_all', route_name='messages.reply_all') + config.add_view(cls, attr='reply_all', route_name='messages.reply_all', + permission='messages.create') # move (single) config.add_route('messages.move', '/messages/{uuid}/move')