From 6377699c447f2f845acb7c673c50ca0d7dc9ec83 Mon Sep 17 00:00:00 2001
From: Olivier Dony <odo@openerp.com>
Date: Mon, 6 Apr 2015 00:37:36 +0200
Subject: [PATCH] [FIX] website_forum: check karma access on direct message
 edit/unlink too

Access rights on messages are derived from the
access rights on the documents they are attached
to. Due to the karma-based nature of the forum
access rights, these do not automatically reflect
on messages, because they are not implemented as
access rules.
The check_mail_message_access() needs to be
overriden to achieve the same effect.

+ allow calling super().check_mail_message_access()
from new API (useful in forward-port)
---
 addons/mail/mail_thread.py           | 1 +
 addons/website_forum/models/forum.py | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/addons/mail/mail_thread.py b/addons/mail/mail_thread.py
index e19de4c4c23..06975d2e078 100644
--- a/addons/mail/mail_thread.py
+++ b/addons/mail/mail_thread.py
@@ -589,6 +589,7 @@ class mail_thread(osv.AbstractModel):
         ir_attachment_obj.unlink(cr, uid, attach_ids, context=context)
         return True
 
+    @api.cr_uid_ids_context
     def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
         """ mail.message check permission rules for related document. This method is
             meant to be inherited in order to implement addons-specific behavior.
diff --git a/addons/website_forum/models/forum.py b/addons/website_forum/models/forum.py
index 44a34438145..c12d089e3a0 100644
--- a/addons/website_forum/models/forum.py
+++ b/addons/website_forum/models/forum.py
@@ -387,6 +387,14 @@ class Post(osv.Model):
             self.pool['res.users'].add_karma(cr, SUPERUSER_ID, [uid], post.forum_id.karma_gen_question_new, context=context)
         return post_id
 
+    def check_mail_message_access(self, cr, uid, mids, operation, model_obj=None, context=None):
+        for post in self.browse(cr, uid, mids, context=context):
+            # Make sure only author or moderator can edit/delete messages
+            if operation in ('write', 'unlink') and not post.can_edit:
+                raise KarmaError('Not enough karma to edit a post.')
+        return super(Post, self).check_mail_message_access(
+            cr, uid, mids, operation, model_obj=model_obj, context=context)
+
     def write(self, cr, uid, ids, vals, context=None):
         posts = self.browse(cr, uid, ids, context=context)
         if 'state' in vals: