From 97f75a04e54ac1bbc21b362d911a4ac7365f5561 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Fri, 11 Nov 2016 15:52:33 +0100
Subject: [PATCH] Only allow commenting when user has PUT access on the node.

---
 attract/shots_and_assets/routes_assets.py        | 3 ++-
 attract/shots_and_assets/routes_shots.py         | 3 ++-
 attract/tasks/routes.py                          | 6 ++++--
 src/templates/attract/shots/view_shot_embed.jade | 6 +++---
 src/templates/attract/tasks/view_task_embed.jade | 8 ++++----
 5 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/attract/shots_and_assets/routes_assets.py b/attract/shots_and_assets/routes_assets.py
index da811ea..23da3e9 100644
--- a/attract/shots_and_assets/routes_assets.py
+++ b/attract/shots_and_assets/routes_assets.py
@@ -52,7 +52,8 @@ def view_asset(project, attract_props, asset_id):
                            asset=asset,
                            project=project,
                            asset_node_type=node_type,
-                           attract_props=attract_props)
+                           attract_props=attract_props,
+                           can_edit='PUT' in asset.allowed_methods)
 
 
 @perproject_blueprint.route('/<asset_id>', methods=['POST'])
diff --git a/attract/shots_and_assets/routes_shots.py b/attract/shots_and_assets/routes_shots.py
index 3b3d572..74c9687 100644
--- a/attract/shots_and_assets/routes_shots.py
+++ b/attract/shots_and_assets/routes_shots.py
@@ -61,7 +61,8 @@ def view_shot(project, attract_props, shot_id):
                            shot=shot,
                            project=project,
                            shot_node_type=node_type,
-                           attract_props=attract_props)
+                           attract_props=attract_props,
+                           can_edit='PUT' in shot.allowed_methods)
 
 
 @perproject_blueprint.route('/<shot_id>', methods=['POST'])
diff --git a/attract/tasks/routes.py b/attract/tasks/routes.py
index 6a45bc8..e04b2c4 100644
--- a/attract/tasks/routes.py
+++ b/attract/tasks/routes.py
@@ -76,7 +76,8 @@ def view_task(project, attract_props, task_id):
         task.properties.due_date = parser.parse('%s' % task.properties.due_date)
 
     # Fetch project users so that we can assign them tasks
-    if 'PUT' in task.allowed_methods:
+    can_edit = 'PUT' in task.allowed_methods
+    if can_edit:
         users = project.get_users(api=api)
         project.users = users['_items']
     else:
@@ -94,7 +95,8 @@ def view_task(project, attract_props, task_id):
                            task_node_type=node_type,
                            task_types=task_types,
                            attract_props=attract_props.to_dict(),
-                           attract_context=request.args.get('context'))
+                           attract_context=request.args.get('context'),
+                           can_edit=can_edit)
 
 
 def task_types_given_context(project, attract_props, page_context, task):
diff --git a/src/templates/attract/shots/view_shot_embed.jade b/src/templates/attract/shots/view_shot_embed.jade
index 840f470..9b3a814 100644
--- a/src/templates/attract/shots/view_shot_embed.jade
+++ b/src/templates/attract/shots/view_shot_embed.jade
@@ -11,7 +11,7 @@
 				title="Copy ID to clipboard")
 				| ID
 
-		| {% if 'PUT' in shot.allowed_methods %}
+		| {% if can_edit %}
 		.input-group
 			textarea#item-description.input-transparent(
 				name="description",
@@ -129,7 +129,7 @@ script.
 
 	var activities_url = "{{ url_for('.activities', project_url=project.url, shot_id=shot['_id']) }}";
 	loadActivities(activities_url);  // from 10_tasks.js
-	loadComments("{{ url_for('nodes.comments_for_node', node_id=shot['_id']) }}");
+	loadComments("{{ url_for('nodes.comments_for_node', node_id=shot['_id'], can_comment=can_edit) }}");
 
 	$('body').on('pillar:comment-posted', function(e, comment_node_id) {
 		loadActivities(activities_url)
@@ -140,7 +140,7 @@ script.
 
 	$('.js-help').openModalUrl('Help', "{{ url_for('attract.help', project_url=project.url) }}");
 
-	{% if 'PUT' in shot.allowed_methods %}
+	{% if can_edit %}
 		/* Resize textareas */
 		var textAreaFields = $('#item-description, #item-notes');
 
diff --git a/src/templates/attract/tasks/view_task_embed.jade b/src/templates/attract/tasks/view_task_embed.jade
index d9b021a..20a9f50 100644
--- a/src/templates/attract/tasks/view_task_embed.jade
+++ b/src/templates/attract/tasks/view_task_embed.jade
@@ -4,7 +4,7 @@
 		input(type='hidden',name='_etag',value='{{ task._etag }}')
 		//- NOTE: if you add fields here, also add them read-only below.
 		.input-group
-			| {% if 'PUT' in task.allowed_methods %}
+			| {% if can_edit %}
 			input.item-name(
 				name="name",
 				type="text",
@@ -45,7 +45,7 @@
 							| Delete Task
 					| {% endif %}
 
-		| {% if 'PUT' in task.allowed_methods %}
+		| {% if can_edit %}
 		.input-group
 			textarea#item-description(
 				name="description",
@@ -160,7 +160,7 @@
 
 script.
 
-	{% if 'PUT' in task.allowed_methods %}
+	{% if can_edit %}
 		$("#assignees").select2();
 
 		var picker = new Pikaday(
@@ -203,6 +203,6 @@ script.
 	});
 
 	loadActivities("{{ url_for('.activities', project_url=project.url, task_id=task['_id']) }}");  // from 10_tasks.js
-	loadComments("{{ url_for('nodes.comments_for_node', node_id=task['_id']) }}");
+	loadComments("{{ url_for('nodes.comments_for_node', node_id=task['_id'], can_comment=can_edit) }}");
 
 	$('.js-help').openModalUrl('Help', "{{ url_for('attract.help', project_url=project.url) }}");