Prevent unauthenticated users commenting on notes via the API

[rails.git] / app / abilities / api_ability.rb

diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb
index fe39f5eb5aa2475a4d1c56fa9456e9a8842d117a..4876380d0dd272e708f0180be8b3df13d3d9c88a 100644 (file)
--- a/app/abilities/api_ability.rb
+++ b/app/abilities/api_ability.rb
@@ -12,7 +12,7 @@ class ApiAbility
 
     if Settings.status != "database_offline"
       can [:show, :download, :query], Changeset
-      can [:index, :create, :comment, :feed, :show, :search], Note
+      can [:index, :create, :feed, :show, :search], Note
       can :index, Tracepoint
       can [:index, :show], User
       can [:index, :show], Node
@@ -31,7 +31,7 @@ class ApiAbility
       if Settings.status != "database_offline"
         can [:index, :new, :create, :show, :edit, :update, :destroy], ClientApplication
         can [:new, :create, :reply, :show, :inbox, :outbox, :mark, :destroy], Message
-        can [:close, :reopen], Note
+        can [:comment, :close, :reopen], Note
         can [:new, :create], Report
         can [:create, :show, :update, :destroy, :data], Trace
         can [:details, :gpx_files], User