From e8e8ee71ed24c03a46a68431dac480b338bd8600 Mon Sep 17 00:00:00 2001
From: Adrian Fish <adrian.r.fish@gmail.com>
Date: Tue, 26 Sep 2017 16:30:09 +0100
Subject: [PATCH] SAK-33403 Can only post via XHR if post.create is set.
 (#4834)

---
 .../commons/impl/CommonsSecurityManagerImpl.java       | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsSecurityManagerImpl.java b/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsSecurityManagerImpl.java
index 7be63cc39e7f..32a7a1f9cd14 100644
--- a/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsSecurityManagerImpl.java
+++ b/commons/impl/src/java/org/sakaiproject/commons/impl/CommonsSecurityManagerImpl.java
@@ -17,6 +17,8 @@
 
 package org.sakaiproject.commons.impl;
 
+import org.apache.commons.lang.StringUtils;
+
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.List;
@@ -95,8 +97,12 @@ public boolean canCurrentUserEditPost(Post post) {
         String currentUser = sakaiProxy.getCurrentUserId();
 
         // If the current user is authenticated and the post author, yes.
-        if (currentUser != null && currentUser.equals(post.getCreatorId()) && sakaiProxy.isAllowedFunction(CommonsFunctions.POST_UPDATE_OWN, post.getSiteId())) {
-            return true;
+        if (currentUser != null && currentUser.equals(post.getCreatorId())) {
+            if (StringUtils.isEmpty(post.getId())) {
+                return sakaiProxy.isAllowedFunction(CommonsFunctions.POST_CREATE, post.getSiteId());
+            } else {
+                return sakaiProxy.isAllowedFunction(CommonsFunctions.POST_UPDATE_OWN, post.getSiteId());
+            }
         }
 
         return false;