A couple of security fixes.

scribeengine/controllers/blog.py

@@ -71,6 +71,7 @@ class BlogController(BaseController):
         c.page_title = c.post.title
         return render(u'/blog/view.mako')
 
+    @authenticate()
     def comment_POST(self, id):
         if not id:
             h.flash.set_message(u'There was a problem submitting your comment.', u'error')

scribeengine/templates/base.mako

@@ -20,7 +20,9 @@
             <li><a href="${page.url}">${page.name}</a></li>
 % endfor
 % if c.current_user:
+% if c.current_user.has_permission('Add Posts'):
             <li><a href="${h.url_for(controller='post', action='new')}">New Post</a></li>
+% endif
             <li><a href="${h.url_for(controller='admin', action='logout')}">Logout</a></li>
 % else:
             <li><a href="${h.url_for(controller='admin', action='login')}">Login</a></li>