A couple of security fixes.

2010-01-19 22:56:05 +02:00 · 2010-01-19 22:56:05 +02:00 · d2907d72e8
parent e7d407c19e 3ad5f581d4
commit d2907d72e8
3 changed files with 7 additions and 4 deletions
--- a/scribeengine/controllers/blog.py
+++ b/scribeengine/controllers/blog.py
@ -71,6 +71,7 @@ class BlogController(BaseController):
        c.page_title = c.post.title
        return render(u'/blog/view.mako')

+    @authenticate()
    def comment_POST(self, id):
        if not id:
            h.flash.set_message(u'There was a problem submitting your comment.', u'error')
--- a/scribeengine/controllers/post.py
+++ b/scribeengine/controllers/post.py
@ -47,7 +47,7 @@ class PostController(BaseController):
        c.post = Session.query(Post).get(id)
        c.page_title = 'Edit Post: %s' % c.post.title
        return render(u'/post/edit.mako')
-        
+
    @authenticate(u'Edit My Posts')
    def edit_POST(self, id=None):
        url = utils.generate_url(c.form_values[u'title'])
--- a/scribeengine/templates/base.mako
+++ b/scribeengine/templates/base.mako
@ -20,10 +20,12 @@
            <li><a href="${page.url}">${page.name}</a></li>
 % endfor
 % if c.current_user:
-            <li><a href="${h.url_for(controller='post',action='new')}">New Post</a></li>
-            <li><a href="${h.url_for(controller='admin',action='logout')}">Logout</a></li>
+% if c.current_user.has_permission('Add Posts'):
+            <li><a href="${h.url_for(controller='post', action='new')}">New Post</a></li>
+% endif
+            <li><a href="${h.url_for(controller='admin', action='logout')}">Logout</a></li>
 % else:
-            <li><a href="${h.url_for(controller='admin',action='login')}">Login</a></li>
+            <li><a href="${h.url_for(controller='admin', action='login')}">Login</a></li>
 % endif
        </ul>
    </div>