Fixed comment permissions

code/dataobjects/Comment.php

@@ -267,58 +267,96 @@ class Comment extends DataObject {
 	 * @return Boolean
 	 */
 	public function canView($member = null) {
-		if(!$member) $member = Member::currentUser();
+		$member = $this->getMember($member);
 
-		// Standard mechanism for accepting permission changes from decorators
 		$extended = $this->extendedCan('canView', $member);
-		if($extended !== null) return $extended;
+		if($extended !== null) {
+			return $extended;
+		}
 
-		// Allow admin
+		if(Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin')) {
-		if(Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin')) return true;
+			return true;
+		}
 
-		// Check if parent has comments and can be viewed
+		if($parent = $this->getParent()) {
-		$parent = $this->getParent();
+			return $parent->canView($member)
-		return $parent && $parent->ProvideComments && $parent->canView($member);
+				&& $parent->has_extension('CommentsExtension')
+				&& $parent->CommentsEnabled;
+		}
+
+		return false;
 	}
 
 	/**
-	 * Checks for "CMS_ACCESS_CommentAdmin" permission codes and
+	 * Checks if the comment can be edited.
-	 * {@link canView()}.
 	 *
-	 * @param Member $member
+	 * @param null|int|Member $member
 	 *
 	 * @return Boolean
 	 */
 	public function canEdit($member = null) {
-		if(!$member) $member = Member::currentUser();
+		$member = $this->getMember($member);
+
+		if(!$member) {
+			return false;
+		}
 
-		// Standard mechanism for accepting permission changes from decorators
 		$extended = $this->extendedCan('canEdit', $member);
-		if($extended !== null) return $extended;
+		if($extended !== null) {
+			return $extended;
+		}
 
-		if(!$this->canView($member)) return false;
+		if(Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin')) {
+			return true;
+		}
 
-		return (bool) Permission::checkMember($member, 'CMS_ACCESS_CommentAdmin');
+		if($parent = $this->getParent()) {
+			return $parent->canEdit($member);
+		}
+
+		return false;
 	}
 
 	/**
-	 * Checks for "CMS_ACCESS_CommentAdmin" permission codes and
+	 * Checks if the comment can be deleted.
-	 * {@link canEdit()}.
 	 *
-	 * @param Member $member
+	 * @param null|int|Member $member
 	 *
 	 * @return Boolean
 	 */
 	public function canDelete($member = null) {
-		if(!$member) $member = Member::currentUser();
+		$member = $this->getMember($member);
+
+		if(!$member) {
+			return false;
+		}
 
-		// Standard mechanism for accepting permission changes from decorators
 		$extended = $this->extendedCan('canDelete', $member);
-		if($extended !== null) return $extended;
+		if($extended !== null) {
+			return $extended;
+		}
 
 		return $this->canEdit($member);
 	}
 
+	/**
+	 * Resolves Member object.
+	 *
+	 * @param Member|int|null $member
+	 * @return Member|null
+	 */
+	protected function getMember($member = null) {
+		if(!$member) {
+			$member = Member::currentUser();
+		}
+
+		if(is_numeric($member)) {
+			$member = DataObject::get_by_id('Member', $member, true);
+		}
+
+		return $member;
+	}
+
 	/**
 	 * Return the authors name for the comment
 	 *

tests/CommentsTest.php

@@ -14,6 +14,25 @@ class CommentsTest extends FunctionalTest {
 	public function setUp() {
 		parent::setUp();
 		Config::nest();
+
+		// Set good default values
+		Config::inst()->update('CommentsExtension', 'comments', array(
+			'enabled' => true,
+			'enabled_cms' => false,
+			'require_login' => false,
+			'require_login_cms' => false,
+			'required_permission' => false,
+			'require_moderation_nonmembers' => false,
+			'require_moderation' => false,
+			'require_moderation_cms' => false,
+			'frontend_moderation' => false,
+			'frontend_spam' => false,
+		));
+
+		// Configure this dataobject
+		Config::inst()->update('CommentableItem', 'comments', array(
+			'enabled_cms' => true
+		));
 	}
 
 	public function tearDown() {