From 56f93fbf38fe1386eda012af9ebca224696a4faa Mon Sep 17 00:00:00 2001 From: Vasile Popescu Date: Thu, 5 Sep 2024 16:44:33 +0200 Subject: [PATCH 1/2] Protect the comments deletion and edit by the right permissions --- comments/views.py | 11 +++++++++-- front_end/src/components/comment_feed/comment.tsx | 15 ++++++++------- 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/comments/views.py b/comments/views.py index a37d5068ee..f6777ab09e 100644 --- a/comments/views.py +++ b/comments/views.py @@ -4,8 +4,9 @@ from django.shortcuts import get_object_or_404 from rest_framework import serializers, status from rest_framework.decorators import api_view, permission_classes +from rest_framework.exceptions import PermissionDenied from rest_framework.pagination import LimitOffsetPagination -from rest_framework.permissions import AllowAny, IsAuthenticated +from rest_framework.permissions import AllowAny, IsAuthenticated, IsAdminUser from rest_framework.request import Request from rest_framework.response import Response @@ -94,6 +95,7 @@ def comments_list_api_view(request: Request): @api_view(["POST"]) +@permission_classes([IsAdminUser]) def comment_delete_api_view(request: Request, pk: int): comment = get_object_or_404(Comment, pk=pk) @@ -104,6 +106,7 @@ def comment_delete_api_view(request: Request, pk: int): @api_view(["POST"]) +@permission_classes([IsAuthenticated]) def comment_create_api_view(request: Request): user = request.user serializer = CommentWriteSerializer(data=request.data) @@ -137,11 +140,15 @@ def comment_create_api_view(request: Request): @api_view(["POST"]) +@permission_classes([IsAuthenticated]) def comment_edit_api_view(request: Request, pk: int): # Small validation - comment = get_object_or_404(Comment.objects.filter(author=request.user), pk=pk) + comment = get_object_or_404(Comment, pk=pk) text = serializers.CharField().run_validation(request.data.get("text")) + if not (request.user.is_staff or comment.author == request.user): + raise PermissionDenied("You do not have permission to edit this comment.") + differ = difflib.Differ() diff = list(differ.compare(comment.text.splitlines(), text.splitlines())) diff --git a/front_end/src/components/comment_feed/comment.tsx b/front_end/src/components/comment_feed/comment.tsx index 8755ea34fa..f3e84d252d 100644 --- a/front_end/src/components/comment_feed/comment.tsx +++ b/front_end/src/components/comment_feed/comment.tsx @@ -215,9 +215,9 @@ const Comment: FC = ({ }, }, { - // hidden: - // permissions !== CommentPermissions.CREATOR && - // permissions !== CommentPermissions.CURATOR, + hidden: + permissions !== CommentPermissions.CREATOR && + permissions !== CommentPermissions.CURATOR, id: "edit", name: t("edit"), onClick: () => { @@ -239,13 +239,14 @@ const Comment: FC = ({ onClick: () => setIsReportModalOpen(true), }, { - // hidden: permissions !== CommentPermissions.CURATOR, + hidden: permissions !== CommentPermissions.CURATOR, id: "delete", name: t("delete"), onClick: async () => { - // setDeleteModalOpen(true), - const response = softDeleteComment(comment.id); - if ("errors" in response) { + //setDeleteModalOpen(true), + const response = await softDeleteComment(comment.id); + + if (response && "errors" in response) { console.error("Error deleting comment:", response.errors); } else { setIsDeleted(true); From 183519377dcc18dd7d31b5484a896f3beb34346f Mon Sep 17 00:00:00 2001 From: Vasile Popescu Date: Fri, 6 Sep 2024 14:56:27 +0200 Subject: [PATCH 2/2] Fix Flake linting issues --- posts/views.py | 4 +--- questions/services.py | 1 - 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/posts/views.py b/posts/views.py index f1f11a79a0..cf1f3df3d7 100644 --- a/posts/views.py +++ b/posts/views.py @@ -1,9 +1,7 @@ from datetime import timedelta from django.core.files.storage import default_storage -from django.http import HttpResponse from django.shortcuts import get_object_or_404, redirect import django.utils -import requests from rest_framework import status, serializers from rest_framework.decorators import api_view, permission_classes, parser_classes from rest_framework.exceptions import NotFound, PermissionDenied @@ -13,7 +11,6 @@ from rest_framework.request import Request from rest_framework.response import Response -# from playwright.sync_api import sync_playwright import os import django from PIL import Image @@ -525,6 +522,7 @@ def post_preview_image(request: Request, pk): # This has to happen where because once we're in the playwright sync context the connection is invalidated post.preview_image_generated_at = django.utils.timezone.now() post.save() + from playwright.sync_api import sync_playwright with sync_playwright() as p: browser = p.chromium.launch(headless=True) diff --git a/questions/services.py b/questions/services.py index 3efa2fd476..bcc9f2b552 100644 --- a/questions/services.py +++ b/questions/services.py @@ -374,7 +374,6 @@ def create_forecast( def create_forecast_bulk(*, user: User = None, forecasts: list[dict] = None): from posts.services.common import get_post_permission_for_user - from posts.tasks import run_on_post_forecast posts = set()