Protect message reply functions with 'create' permission.

tailbone/templates/messages/view.mako

@@ -43,8 +43,10 @@
 <%def name="message_tools()">
   % if recipient:
     <div class="message-tools">
+      % if request.has_perm('messages.create'):
         ${h.link_to("Reply", url('messages.reply', uuid=instance.uuid), class_='button')}
         ${h.link_to("Reply to All", url('messages.reply_all', uuid=instance.uuid), class_='button')}
+      % endif
       % if recipient.status == rattail.enum.MESSAGE_STATUS_INBOX:
         ${h.link_to("Move to Archive", url('messages.move', uuid=instance.uuid) + '?dest=archive', class_='button')}
       % else:

tailbone/views/messages.py

@@ -333,11 +333,13 @@ class MessagesView(MasterView):
 
         # reply
         config.add_route('messages.reply', '/messages/{uuid}/reply')
-        config.add_view(cls, attr='reply', route_name='messages.reply')
+        config.add_view(cls, attr='reply', route_name='messages.reply',
+                        permission='messages.create')
 
         # reply-all
         config.add_route('messages.reply_all', '/messages/{uuid}/reply-all')
-        config.add_view(cls, attr='reply_all', route_name='messages.reply_all')
+        config.add_view(cls, attr='reply_all', route_name='messages.reply_all',
+                        permission='messages.create')
 
         # move (single)
         config.add_route('messages.move', '/messages/{uuid}/move')