API for adding attachments to comments

CHANGELOG.md

@@ -20,6 +20,8 @@ Changes since v2.8
 - Removed requirement for organizations to match when creating catalogue item or resource (#1893). This reverts the only breaking change in 2.8.
 - Allow organization owners to edit resources, forms, licenses and workflows in their own organization (#1893)
 - Show resources, forms, licenses and workflows from all organizations to organization owners (#1893)
+- API: comments are now optional for commands
+- API: comments can have attachments (#1928)
 
 ## v2.8 "Mankkaanlaaksontie" 2020-03-03
 

resources/sql/queries.sql

@@ -250,7 +250,11 @@ VALUES
 (:application, :user, :filename, :type, :data);
 
 -- :name get-attachment :? :1
-SELECT appid, filename, type, data FROM attachment
+SELECT appid, filename, modifierUserId, type, data FROM attachment
+WHERE id = :id;
+
+-- :name get-attachment-metadata :? :1
+SELECT id, appid, filename, modifierUserId, type FROM attachment
 WHERE id = :id;
 
 -- :name get-attachments-for-application :? :*

src/clj/rems/api/applications.clj

@@ -200,7 +200,7 @@
     ;; TODO: think about size limit
     (POST "/add-attachment" []
       :summary "Add an attachment file related to an application"
-      :roles #{:applicant}
+      :roles #{:logged-in}
       :multipart-params [file :- upload/TempFileUpload]
       :query-params [application-id :- (describe s/Int "application id")]
       :middleware [multipart/wrap-multipart-params]

src/clj/rems/api/services/attachment.clj

@@ -1,5 +1,8 @@
 (ns rems.api.services.attachment
-  (:require [rems.common.application-util :as application-util]
+  (:require [clojure.set :as set]
+            [clojure.test :refer :all]
+            [rems.application.commands :as commands]
+            [rems.common.application-util :as application-util]
             [rems.auth.util :refer [throw-forbidden]]
             [rems.db.applications :as applications]
             [rems.db.attachments :as attachments]
@@ -11,15 +14,30 @@
       (header "Content-Disposition" (str "attachment;filename=" (pr-str (:attachment/filename attachment))))
       (content-type (:attachment/type attachment))))
 
+(defn- contains-attachment? [application attachment-id]
+  (some #(= attachment-id (:attachment/id %))
+        (:application/attachments application)))
+
 (defn get-application-attachment [user-id attachment-id]
   (let [attachment (attachments/get-attachment attachment-id)]
-    (when attachment
-      ;; check that the user is allowed to read the application (may throw ForbiddenException)
-      (applications/get-application user-id (:application/id attachment)))
-    attachment))
+    (cond
+      (nil? attachment)
+      nil
+
+      (= user-id (:attachment/user attachment))
+      attachment
+
+      (contains-attachment? (applications/get-application user-id (:application/id attachment))
+                            attachment-id)
+      attachment
+
+      :else
+      (throw-forbidden))))
 
 (defn add-application-attachment [user-id application-id file]
   (let [application (applications/get-application user-id application-id)]
-    (when-not (application-util/form-fields-editable? application)
+    (when-not (some (set/union commands/commands-with-comments
+                               #{:application.command/save-draft})
+                    (:application/permissions application))
       (throw-forbidden))
     (attachments/save-attachment! file user-id application-id)))

src/clj/rems/api/services/command.clj

@@ -7,6 +7,7 @@
             [rems.application.rejecter-bot :as rejecter-bot]
             [rems.common.application-util :as application-util]
             [rems.db.applications :as applications]
+            [rems.db.attachments :as attachments]
             [rems.db.catalogue :as catalogue]
             [rems.db.core :as db]
             [rems.db.events :as events]
@@ -48,7 +49,8 @@
    :get-catalogue-item catalogue/get-localized-catalogue-item
    :get-catalogue-item-licenses applications/get-catalogue-item-licenses
    :get-workflow workflow/get-workflow
-   :allocate-application-ids! applications/allocate-application-ids!})
+   :allocate-application-ids! applications/allocate-application-ids!
+   :get-attachment-metadata attachments/get-attachment-metadata})
 
 (defn command! [cmd]
   ;; Use locks to prevent multiple commands being executed in parallel.