Index: openacs-4/packages/forums/lib/message/post.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/forums/lib/message/post.tcl,v diff -u -r1.25 -r1.26 --- openacs-4/packages/forums/lib/message/post.tcl 9 Nov 2017 17:28:22 -0000 1.25 +++ openacs-4/packages/forums/lib/message/post.tcl 7 Jun 2018 18:08:11 -0000 1.26 @@ -1,5 +1,5 @@ ad_page_contract { - + Form to create message and insert it @author Ben Adida (ben@openforce.net) @@ -38,10 +38,10 @@ set form_elements { {message_id:key} {subject:text(text) - {html {maxlength $max_subject_chars size 60}} + {html {maxlength $max_subject_chars size 60}} {label "[_ forums.Subject]"} } - {message_body:richtext(richtext) + {message_body:richtext(richtext) {html {rows 20 cols 60}} {label "[_ forums.Body]"} } @@ -99,7 +99,7 @@ set forum_id $parent_message(forum_id) set subject [forum::format::reply_subject $parent_message(subject)] } - + set confirm_p 0 set subscribe_p 0 set anonymous_p 0 @@ -118,10 +118,10 @@ template::form::set_error message subject [_ acs-tcl.lt_name_is_too_long__Ple] break } - + if { $anonymous_p eq "" } { set anonymous_p 0 } - + set action [template::form::get_button message] # Make post the default action @@ -132,15 +132,15 @@ set displayed_user_id [expr {$anonymous_allowed_p && $anonymous_p ? 0 : $user_id}] if {$action eq "preview"} { - + set confirm_p 1 set subject.spellcheck ":nospell:" set content.spellcheck ":nospell:" set content [template::util::richtext::get_property content $message_body] set format [template::util::richtext::get_property format $message_body] - + set exported_vars [export_vars -form {message_id forum_id parent_id subject {message_body $content} {message_body.format $format} confirm_p subject.spellcheck content.spellcheck anonymous_p attach_p}] - + set message(format) $format set message(subject) $subject set message(content) $content @@ -149,7 +149,7 @@ set message(screen_name) $screen_name set message(posting_date_ansi) [clock format [clock seconds] -format "%Y-%m-%d %H:%M:%S"] set message(posting_date_pretty) [lc_time_fmt $message(posting_date_ansi) "%x %X"] - + # Let's check if this person is subscribed to the forum # in case we might want to subscribe them to the thread if {$parent_id eq ""} { @@ -163,14 +163,14 @@ set forum_notification_p 0 } } - + ad_return_template "/packages/forums/lib/message/post-confirm" } if {$action eq "post"} { set content [template::util::richtext::get_property content $message_body] set format [template::util::richtext::get_property format $message_body] - + forum::message::new \ -forum_id $forum_id \ -message_id $message_id \ @@ -179,7 +179,7 @@ -content $content \ -format $format \ -user_id $displayed_user_id - + # DRB: Black magic cache flush call which will disappear when list builder is # rewritten to paginate internally rather than use the template paginator. cache flush "messages,forum_id=$forum_id*" @@ -189,7 +189,7 @@ set db_antwort [db_exec_plsql forums_reading_info__remove_msg {}] } - set permissions(moderate_p) [forum::security::can_moderate_forum_p -forum_id $forum_id] + set permissions(moderate_p) [permission::permission_p -object_id $forum_id -privilege "forum_moderate"] db_transaction { if { $permissions(moderate_p) } { @@ -199,33 +199,33 @@ # VGUERRA Redirecting to the first message ALWAYS forum::message::get -message_id $message_id -array msg - set redirect_url "[ad_conn package_url]message-view?message_id=$msg(root_message_id)" - + set redirect_url "[ad_conn package_url]message-view?message_id=$msg(root_message_id)" + # Wrap the notifications URL if {$subscribe_p ne "" && $subscribe_p && $parent_id eq ""} { set notification_url [notification::display::subscribe_url \ -type forums_message_notif \ -object_id $message_id \ -url $redirect_url \ -user_id $user_id] - + # redirect to notification stuff set redirect_url $notification_url } - + # Wrap the attachments URL if {$attachments_enabled_p} { if { $attach_p ne "" && $attach_p} { set redirect_url [attachments::add_attachment_url -object_id $message_id -return_url $redirect_url -pretty_name "[_ forums.Forum_Posting] \"$subject\""] } } - + # Do the redirection if { !$permissions(moderate_p) } { forum::get -forum_id $forum_id -array forum if { $forum(posting_policy) eq "moderated" } { # if the forum is moderated, give some feedback to the user - # to inform that the message has been sent and is pending + # to inform that the message has been sent and is pending set feedback_msg [_ forums.Message_sent_to_moderator] ad_returnredirect -message $feedback_msg -- $redirect_url ad_script_abort Index: openacs-4/packages/forums/tcl/forums-security-procs.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/forums/tcl/forums-security-procs.tcl,v diff -u -r1.21 -r1.22 --- openacs-4/packages/forums/tcl/forums-security-procs.tcl 7 Jun 2018 17:53:11 -0000 1.21 +++ openacs-4/packages/forums/tcl/forums-security-procs.tcl 7 Jun 2018 18:08:11 -0000 1.22 @@ -49,9 +49,10 @@ set user_id [expr {$user_id eq "" ? [ad_conn user_id] : $user_id}] # Moderators can always post - if {[can_moderate_forum_p \ - -forum_id $forum_id \ - -user_id $user_id]} { + if { ![permission::permission_p \ + -party_id $user_id \ + -object_id $forum_id \ + -privilege "forum_moderate"] } { return true } @@ -87,7 +88,11 @@ {-user_id ""} {-forum_id:required} } { - if {![can_moderate_forum_p -user_id $user_id -forum_id $forum_id]} { + # Probably this whole proc could be replaced by just permission::require_permission + if { ![permission::permission_p \ + -party_id $user_id \ + -object_id $forum_id \ + -privilege "forum_moderate"] } { do_abort } } @@ -99,7 +104,7 @@ } { upvar $array_name array - set array(admin_p) [forum::security::can_moderate_forum_p -forum_id $forum_id] + set array(admin_p) [permission::permission_p -object_id $forum_id -privilege "forum_moderate"] set array(moderate_p) $array(admin_p) set array(post_p) [expr {$array(admin_p) || [forum::security::can_post_forum_p -forum_id $forum_id -user_id $user_id]}] } @@ -150,7 +155,7 @@ {-message_id:required} } { forum::message::get -message_id $message_id -array message - return [can_moderate_forum_p -forum_id $message(forum_id) -user_id $user_id] + return [permission::permission_p -party_id $user_id -object_id $message(forum_id) -privilege "forum_moderate"] } ad_proc -deprecated -public require_moderate_message { @@ -173,7 +178,10 @@ {-user_id ""} {-forum_id:required} } { - if {![can_moderate_forum_p -user_id $user_id -forum_id $forum_id]} { + if { ![permission::permission_p \ + -party_id $user_id \ + -object_id $forum_id \ + -privilege "forum_moderate"] } { do_abort } } Index: openacs-4/packages/forums/www/message-post.tcl =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/forums/www/message-post.tcl,v diff -u -r1.47 -r1.48 --- openacs-4/packages/forums/www/message-post.tcl 13 Oct 2017 09:39:12 -0000 1.47 +++ openacs-4/packages/forums/www/message-post.tcl 7 Jun 2018 18:08:11 -0000 1.48 @@ -1,5 +1,5 @@ ad_page_contract { - + Form to create message and insert it @author Ben Adida (ben@openforce.net) @@ -40,14 +40,14 @@ ############################## # Pull out required forum and parent data and -# perform security checks +# perform security checks # if {$parent_id eq ""} { # no parent_id, therefore new thread # require thread creation privs forum::get -forum_id $forum_id -array forum - - if {![forum::security::can_moderate_forum_p -forum_id $forum_id]} { + + if { ![permission::permission_p -object_id $forum_id -privilege "forum_moderate"] } { forum::security::require_post_forum -forum_id $forum_id # check if we can post new threads if {!$forum(new_questions_allowed_p)} { @@ -59,7 +59,7 @@ set parent_message(tree_level) 0 # see if they're allowed to add to this thread - if {![forum::security::can_moderate_forum_p -forum_id $forum_id]} { + if { ![permission::permission_p -object_id $forum_id -privilege "forum_moderate"] } { forum::security::require_post_forum -forum_id $parent_message(forum_id) }