Protect message reply functions with 'create' permission.

2016-02-10 22:17:49 -06:00 · 2016-02-10 22:17:49 -06:00 · ad9cd8be8e
parent 46923d40da
commit ad9cd8be8e
2 changed files with 8 additions and 4 deletions
--- a/tailbone/templates/messages/view.mako
+++ b/tailbone/templates/messages/view.mako
@ -43,8 +43,10 @@
 <%def name="message_tools()">
  % if recipient:
    <div class="message-tools">
+      % if request.has_perm('messages.create'):
        ${h.link_to("Reply", url('messages.reply', uuid=instance.uuid), class_='button')}
        ${h.link_to("Reply to All", url('messages.reply_all', uuid=instance.uuid), class_='button')}
+      % endif
      % if recipient.status == rattail.enum.MESSAGE_STATUS_INBOX:
        ${h.link_to("Move to Archive", url('messages.move', uuid=instance.uuid) + '?dest=archive', class_='button')}
      % else:
--- a/tailbone/views/messages.py
+++ b/tailbone/views/messages.py
@ -333,11 +333,13 @@ class MessagesView(MasterView):

        # reply
        config.add_route('messages.reply', '/messages/{uuid}/reply')
-        config.add_view(cls, attr='reply', route_name='messages.reply')
+        config.add_view(cls, attr='reply', route_name='messages.reply',
+                        permission='messages.create')

        # reply-all
        config.add_route('messages.reply_all', '/messages/{uuid}/reply-all')
-        config.add_view(cls, attr='reply_all', route_name='messages.reply_all')
+        config.add_view(cls, attr='reply_all', route_name='messages.reply_all',
+                        permission='messages.create')

        # move (single)
        config.add_route('messages.move', '/messages/{uuid}/move')