A couple of security fixes.

2010-01-19 22:56:05 +02:00 · 2010-01-19 22:56:05 +02:00 · d2907d72e8
commit d2907d72e8
parent e7d407c19e 3ad5f581d4
3 changed files with 7 additions and 4 deletions
--- a/scribeengine/controllers/blog.py
+++ b/scribeengine/controllers/blog.py
@ -71,6 +71,7 @@ class BlogController(BaseController):
        c.page_title = c.post.title
        return render(u'/blog/view.mako')

+    @authenticate()
    def comment_POST(self, id):
        if not id:
            h.flash.set_message(u'There was a problem submitting your comment.', u'error')
--- a/scribeengine/templates/base.mako
+++ b/scribeengine/templates/base.mako
@ -20,10 +20,12 @@
            <li><a href="${page.url}">${page.name}</a></li>
 % endfor
 % if c.current_user:
-            <li><a href="${h.url_for(controller='post',action='new')}">New Post</a></li>
-            <li><a href="${h.url_for(controller='admin',action='logout')}">Logout</a></li>
+% if c.current_user.has_permission('Add Posts'):
+            <li><a href="${h.url_for(controller='post', action='new')}">New Post</a></li>
+% endif
+            <li><a href="${h.url_for(controller='admin', action='logout')}">Logout</a></li>
 % else:
-            <li><a href="${h.url_for(controller='admin',action='login')}">Login</a></li>
+            <li><a href="${h.url_for(controller='admin', action='login')}">Login</a></li>
 % endif
        </ul>
    </div>