Modified: trunk/lib/authorization.rb (3534 => 3535)
--- trunk/lib/authorization.rb 2013-05-08 14:09:55 UTC (rev 3534)
+++ trunk/lib/authorization.rb 2013-05-08 16:03:44 UTC (rev 3535)
@@ -107,6 +107,12 @@
case action
when "create"
+ # You can only comment on a Group if you are a member
+ if context.kind_of?(Network)
+ return false if user.nil?
+ return false unless context.member?(user.id)
+ end
+
# Comments can be created by authenticated users that can view the context
return !user.nil? && Authorization.check('view', context, user)