|
|
@ -143,6 +143,7 @@ class Comment(DatabaseModel): |
|
|
|
|
|
|
|
|
def __acl__(self) -> Sequence[Tuple[str, Any, str]]: |
|
|
def __acl__(self) -> Sequence[Tuple[str, Any, str]]: |
|
|
"""Pyramid security ACL.""" |
|
|
"""Pyramid security ACL.""" |
|
|
|
|
|
# pylint: disable=too-many-branches |
|
|
acl = [] |
|
|
acl = [] |
|
|
|
|
|
|
|
|
# nobody has any permissions on deleted comments |
|
|
# nobody has any permissions on deleted comments |
|
|
@ -186,6 +187,8 @@ class Comment(DatabaseModel): |
|
|
# reply: |
|
|
# reply: |
|
|
# - removed comments can't be replied to by anyone |
|
|
# - removed comments can't be replied to by anyone |
|
|
# - if the topic is locked, only admins can reply |
|
|
# - if the topic is locked, only admins can reply |
|
|
|
|
|
# - if the user has "comment.reply_slow", they can't reply to comments less |
|
|
|
|
|
# than 2 hours old |
|
|
# - otherwise, logged-in users can reply |
|
|
# - otherwise, logged-in users can reply |
|
|
if self.is_removed: |
|
|
if self.is_removed: |
|
|
acl.append((Deny, Everyone, "reply")) |
|
|
acl.append((Deny, Everyone, "reply")) |
|
|
@ -194,6 +197,9 @@ class Comment(DatabaseModel): |
|
|
acl.append((Allow, "admin", "reply")) |
|
|
acl.append((Allow, "admin", "reply")) |
|
|
acl.append((Deny, Everyone, "reply")) |
|
|
acl.append((Deny, Everyone, "reply")) |
|
|
|
|
|
|
|
|
|
|
|
if utc_now() - self.created_time < timedelta(hours=2): |
|
|
|
|
|
acl.append((Deny, "comment.reply_slow", "reply")) |
|
|
|
|
|
|
|
|
acl.append((Allow, Authenticated, "reply")) |
|
|
acl.append((Allow, Authenticated, "reply")) |
|
|
|
|
|
|
|
|
# edit: |
|
|
# edit: |
|
|
|
Deimos
6 years ago