[FIX] website_forum: check karma access on direct message edit/unlink too

Access rights on messages are derived from the
access rights on the documents they are attached
to. Due to the karma-based nature of the forum
access rights, these do not automatically reflect
on messages, because they are not implemented as
access rules.
The check_mail_message_access() needs to be
overriden to achieve the same effect.

+ allow calling super().check_mail_message_access()
from new API (useful in forward-port)
This commit is contained in:
Olivier Dony 2015-04-06 00:37:36 +02:00
parent 37959d45f3
commit 6377699c44
2 changed files with 9 additions and 0 deletions

View File

@ -589,6 +589,7 @@ class mail_thread(osv.AbstractModel):
ir_attachment_obj.unlink(cr, uid, attach_ids, context=context)
return True
def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
""" mail.message check permission rules for related document. This method is
meant to be inherited in order to implement addons-specific behavior.

View File

@ -387,6 +387,14 @@ class Post(osv.Model):
self.pool['res.users'].add_karma(cr, SUPERUSER_ID, [uid], post.forum_id.karma_gen_question_new, context=context)
return post_id
def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
for post in self.browse(cr, uid, mids, context=context):
# Make sure only author or moderator can edit/delete messages
if operation in ('write', 'unlink') and not post.can_edit:
raise KarmaError('Not enough karma to edit a post.')
return super(Post, self).check_mail_message_access(
cr, uid, mids, operation, model_obj=model_obj, context=context)
def write(self, cr, uid, ids, vals, context=None):
posts = self.browse(cr, uid, ids, context=context)
if 'state' in vals: