X-Git-Url: http://aleph1.co.uk/gitweb/?a=blobdiff_plain;f=web%2Fcore%2Fmodules%2Fcomment%2Fsrc%2FController%2FCommentController.php;h=ad821e333df1da4eb354e6918cade34d274f6158;hb=1c1cb0980bfa6caf0c24cce671b6bb541dc87583;hp=c834fa67a1cc818fd5f347105b15aa321549f2d6;hpb=a2bd1bf0c2c1f1a17d188f4dc0726a45494cefae;p=yaffs-website

diff --git a/web/core/modules/comment/src/Controller/CommentController.php b/web/core/modules/comment/src/Controller/CommentController.php
index c834fa67a..ad821e333 100644
--- a/web/core/modules/comment/src/Controller/CommentController.php
+++ b/web/core/modules/comment/src/Controller/CommentController.php
@@ -82,10 +82,10 @@ class CommentController extends ControllerBase {
    * @return \Symfony\Component\HttpFoundation\RedirectResponse
    */
   public function commentApprove(CommentInterface $comment) {
-    $comment->setPublished(TRUE);
+    $comment->setPublished();
     $comment->save();
 
-    drupal_set_message($this->t('Comment approved.'));
+    $this->messenger()->addStatus($this->t('Comment approved.'));
     $permalink_uri = $comment->permalink();
     $permalink_uri->setAbsolute();
     return new RedirectResponse($permalink_uri->toString());
@@ -279,16 +279,19 @@ class CommentController extends ControllerBase {
     // Check if the user has the proper permissions.
     $access = AccessResult::allowedIfHasPermission($account, 'post comments');
 
+    // If commenting is open on the entity.
     $status = $entity->{$field_name}->status;
     $access = $access->andIf(AccessResult::allowedIf($status == CommentItemInterface::OPEN)
-      ->addCacheableDependency($entity));
+      ->addCacheableDependency($entity))
+      // And if user has access to the host entity.
+      ->andIf(AccessResult::allowedIf($entity->access('view')));
 
     // $pid indicates that this is a reply to a comment.
     if ($pid) {
       // Check if the user has the proper permissions.
       $access = $access->andIf(AccessResult::allowedIfHasPermission($account, 'access comments'));
 
-      /// Load the parent comment.
+      // Load the parent comment.
       $comment = $this->entityManager()->getStorage('comment')->load($pid);
       // Check if the parent comment is published and belongs to the entity.
       $access = $access->andIf(AccessResult::allowedIf($comment && $comment->isPublished() && $comment->getCommentedEntityId() == $entity->id()));