A couple of security fixes.

scribeengine/controllers/blog.py

@@ -71,6 +71,7 @@ class BlogController(BaseController):
         c.page_title = c.post.title
         return render(u'/blog/view.mako')
 
+    @authenticate()
     def comment_POST(self, id):
         if not id:
             h.flash.set_message(u'There was a problem submitting your comment.', u'error')

scribeengine/controllers/post.py

@@ -47,7 +47,7 @@ class PostController(BaseController):
         c.post = Session.query(Post).get(id)
         c.page_title = 'Edit Post: %s' % c.post.title
         return render(u'/post/edit.mako')
-        
+
     @authenticate(u'Edit My Posts')
     def edit_POST(self, id=None):
         url = utils.generate_url(c.form_values[u'title'])

scribeengine/templates/base.mako

@@ -20,10 +20,12 @@
             <li><a href="${page.url}">${page.name}</a></li>
 % endfor
 % if c.current_user:
-            <li><a href="${h.url_for(controller='post',action='new')}">New Post</a></li>
+% if c.current_user.has_permission('Add Posts'):
-            <li><a href="${h.url_for(controller='admin',action='logout')}">Logout</a></li>
+            <li><a href="${h.url_for(controller='post', action='new')}">New Post</a></li>
+% endif
+            <li><a href="${h.url_for(controller='admin', action='logout')}">Logout</a></li>
 % else:
-            <li><a href="${h.url_for(controller='admin',action='login')}">Login</a></li>
+            <li><a href="${h.url_for(controller='admin', action='login')}">Login</a></li>
 % endif
         </ul>
     </div>