[FIX] website_forum: check karma access on direct message edit/unlink too

Access rights on messages are derived from the
access rights on the documents they are attached
to. Due to the karma-based nature of the forum
access rights, these do not automatically reflect
on messages, because they are not implemented as
access rules.
The check_mail_message_access() needs to be
overriden to achieve the same effect.

+ allow calling super().check_mail_message_access()
from new API (useful in forward-port)

addons/mail/mail_thread.py

@@ -589,6 +589,7 @@ class mail_thread(osv.AbstractModel):
         ir_attachment_obj.unlink(cr, uid, attach_ids, context=context)
         return True
 
+    @api.cr_uid_ids_context
     def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
         """ mail.message check permission rules for related document. This method is
             meant to be inherited in order to implement addons-specific behavior.

addons/website_forum/models/forum.py

@@ -387,6 +387,14 @@ class Post(osv.Model):
             self.pool['res.users'].add_karma(cr, SUPERUSER_ID, [uid], post.forum_id.karma_gen_question_new, context=context)
         return post_id
 
+    def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
+        for post in self.browse(cr, uid, mids, context=context):
+            # Make sure only author or moderator can edit/delete messages
+            if operation in ('write', 'unlink') and not post.can_edit:
+                raise KarmaError('Not enough karma to edit a post.')
+        return super(Post, self).check_mail_message_access(
+            cr, uid, mids, operation, model_obj=model_obj, context=context)
+
     def write(self, cr, uid, ids, vals, context=None):
         posts = self.browse(cr, uid, ids, context=context)
         if 'state' in vals: