diff --git a/askbot/jinja2/question/answer_controls.html b/askbot/jinja2/question/answer_controls.html
index 7236190a0e..df12d147e1 100644
--- a/askbot/jinja2/question/answer_controls.html
+++ b/askbot/jinja2/question/answer_controls.html
@@ -11,7 +11,7 @@
>
{% if answer.deleted %}{% trans %}undelete{% endtrans %}{% else %}{% trans %}delete{% endtrans %}{% endif %}
- {% if request.user.is_authenticated and request.user.is_post_moderator(answer) %}
+ {% if settings.GROUPS_ENABLED %}
{% set is_published=(answer.id in published_answer_ids) %}
{% endif %}
+ {% if request.user.is_anonymous or not request.user.can_publish_group_private_post(question) %}
+
+ {% endif %}
{% endif %}
diff --git a/askbot/jinja2/question/question_controls.html b/askbot/jinja2/question/question_controls.html
index 362caa5956..b2c4afd59d 100644
--- a/askbot/jinja2/question/question_controls.html
+++ b/askbot/jinja2/question/question_controls.html
@@ -4,7 +4,7 @@
class="action-link js-edit with-edit-icon"
>{% trans %}edit{% endtrans %}
{{ macros.post_flag_buttons(question) }}
- {% if request.user.is_authenticated and request.user.is_post_moderator(question) %}
+ {% if settings.GROUPS_ENABLED %}
{% set is_published=(not question.is_private()) %}
{% endif %}
+ {% if request.user.is_anonymous or not request.user.can_publish_group_private_post(question) %}
+
+ {% endif %}
{% endif %}
{% if thread.closed %}
{% trans %}close{% endtrans %}
{% endif %}
- {% trans %}merge{% endtrans %}
@@ -40,6 +45,5 @@
>{% if question.deleted %}{% trans %}undelete{% endtrans %}{% else %}{% trans %}delete{% endtrans %}{% endif %}
diff --git a/askbot/models/__init__.py b/askbot/models/__init__.py
index 2ed4f14dd9..82cf947190 100644
--- a/askbot/models/__init__.py
+++ b/askbot/models/__init__.py
@@ -2994,6 +2994,30 @@ def user_can_make_group_private_posts(self):
return (self.get_primary_group() != None)
+def user_can_publish_group_private_post(self, post):
+ """
+ Users not belonging to a non-personal private group
+ cannot publish group private posts.
+
+ Of the users who have private group,
+ admins/mods and the author of the post can publish/unpublish.
+
+ Note: there may be unexpected consequences if the site
+ has > 1 "private groups".
+
+ A private post for one group may be taken over by the admins
+ of other group.
+ """
+ group = self.get_primary_group()
+ if not group:
+ return False
+
+ if self.is_administrator_or_moderator():
+ return True
+
+ return post.author_id == self.pk
+
+
def user_request_account_termination(self):
"""Notifies admins about user account termination"""
msg_template = _('User %(username)s, id=%(id)s, %(email)s '
@@ -3718,6 +3742,7 @@ def user_is_group_member(self, group=None):
User.add_to_class('can_post_comment', user_can_post_comment)
User.add_to_class('can_post_question', user_can_post_question)
User.add_to_class('can_make_group_private_posts', user_can_make_group_private_posts)
+User.add_to_class('can_publish_group_private_post', user_can_publish_group_private_post)
User.add_to_class('is_administrator', user_is_administrator)
User.add_to_class('is_administrator_or_moderator', user_is_administrator_or_moderator)
User.add_to_class('is_admin_or_mod', user_is_administrator_or_moderator) #shorter version
diff --git a/askbot/views/commands.py b/askbot/views/commands.py
index 9eca744500..fd6ed4c9c7 100644
--- a/askbot/views/commands.py
+++ b/askbot/views/commands.py
@@ -1413,31 +1413,30 @@ def get_editor(request):
@decorators.post_only
def publish_post(request):
"""will publish or unpublish post"""
- denied_msg = _('Sorry, only thread moderators can use this function')
+ denied_msg = _('Sorry, only thread moderators or post owners can use this function')
+
+ if request.user.is_anonymous:
+ raise exceptions.PermissionDenied(denied_msg)
- if request.user.is_authenticated:
- if request.user.is_administrator_or_moderator() is False:
- raise exceptions.PermissionDenied(denied_msg)
- #todo: assert permission
post_id = IntegerField().clean(request.POST['post_id'])
post = models.Post.objects.get(pk=post_id)
- if post.thread.has_moderator(request.user) is False:
+ if not request.user.can_publish_group_private_post(post):
raise exceptions.PermissionDenied(denied_msg)
# there used to be an experiment where questions were asked
# privately to a group - i.e. the question was visible to the
# inquirer and the group only. When the answer was published
- # it was shared with the enquirer
+ # it was shared with the inquirer
# Now the code is switched to a simpler mode -
# "published" === visible to the "everyone" group.
# (and used to be "published" -> visible to the enquirer).
- #enquirer = answer.thread._question_post().author
- #enquirer_group = enquirer.get_personal_group()
+ #inquirer = answer.thread._question_post().author
+ #inquirer_group = enquirer.get_personal_group()
if askbot_settings.GROUPS_ENABLED:
if post.is_private():
- #answer.add_to_groups([enquirer_group])
+ #answer.add_to_groups([inquirer_group])
if post.post_type == 'question':
post.thread.make_public()
else:
@@ -1445,7 +1444,7 @@ def publish_post(request):
message = _('The post is now published')
else:
- #answer.remove_from_groups([enquirer_group])
+ #answer.remove_from_groups([inquirer_group])
if post.post_type == 'question':
post.thread.make_private(request.user)
else: