Skip to content

Protect the comments deletion and edit by the right permissions #440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 6, 2024
Merged

Protect the comments deletion and edit by the right permissions #440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
56f93fb
Protect the comments deletion and edit by the right permissions
elisescu Sep 5, 2024
1835193
Fix Flake linting issues
elisescu Sep 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 9 additions & 2 deletions comments/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,9 @@
from django.shortcuts import get_object_or_404
from rest_framework import serializers, status
from rest_framework.decorators import api_view, permission_classes
from rest_framework.exceptions import PermissionDenied
from rest_framework.pagination import LimitOffsetPagination
from rest_framework.permissions import AllowAny, IsAuthenticated
from rest_framework.permissions import AllowAny, IsAuthenticated, IsAdminUser
from rest_framework.request import Request
from rest_framework.response import Response

Expand Down Expand Up @@ -94,6 +95,7 @@ def comments_list_api_view(request: Request):


@api_view(["POST"])
@permission_classes([IsAdminUser])
def comment_delete_api_view(request: Request, pk: int):
comment = get_object_or_404(Comment, pk=pk)

Expand All @@ -104,6 +106,7 @@ def comment_delete_api_view(request: Request, pk: int):


@api_view(["POST"])
@permission_classes([IsAuthenticated])
def comment_create_api_view(request: Request):
user = request.user
serializer = CommentWriteSerializer(data=request.data)
Expand Down Expand Up @@ -137,11 +140,15 @@ def comment_create_api_view(request: Request):


@api_view(["POST"])
@permission_classes([IsAuthenticated])
def comment_edit_api_view(request: Request, pk: int):
# Small validation
comment = get_object_or_404(Comment.objects.filter(author=request.user), pk=pk)
comment = get_object_or_404(Comment, pk=pk)
text = serializers.CharField().run_validation(request.data.get("text"))

if not (request.user.is_staff or comment.author == request.user):
raise PermissionDenied("You do not have permission to edit this comment.")

differ = difflib.Differ()

diff = list(differ.compare(comment.text.splitlines(), text.splitlines()))
Expand Down
15 changes: 8 additions & 7 deletions front_end/src/components/comment_feed/comment.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,9 +215,9 @@ const Comment: FC<CommentProps> = ({
},
},
{
// hidden:
// permissions !== CommentPermissions.CREATOR &&
// permissions !== CommentPermissions.CURATOR,
hidden:
permissions !== CommentPermissions.CREATOR &&
permissions !== CommentPermissions.CURATOR,
id: "edit",
name: t("edit"),
onClick: () => {
Expand All @@ -239,13 +239,14 @@ const Comment: FC<CommentProps> = ({
onClick: () => setIsReportModalOpen(true),
},
{
// hidden: permissions !== CommentPermissions.CURATOR,
hidden: permissions !== CommentPermissions.CURATOR,
id: "delete",
name: t("delete"),
onClick: async () => {
// setDeleteModalOpen(true),
const response = softDeleteComment(comment.id);
if ("errors" in response) {
//setDeleteModalOpen(true),
const response = await softDeleteComment(comment.id);

if (response && "errors" in response) {
console.error("Error deleting comment:", response.errors);
} else {
setIsDeleted(true);
Expand Down
4 changes: 1 addition & 3 deletions posts/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
from datetime import timedelta
from django.core.files.storage import default_storage
from django.http import HttpResponse
from django.shortcuts import get_object_or_404, redirect
import django.utils
import requests
from rest_framework import status, serializers
from rest_framework.decorators import api_view, permission_classes, parser_classes
from rest_framework.exceptions import NotFound, PermissionDenied
Expand All @@ -13,7 +11,6 @@
from rest_framework.request import Request
from rest_framework.response import Response

# from playwright.sync_api import sync_playwright
import os
import django
from PIL import Image
Expand Down Expand Up @@ -525,6 +522,7 @@ def post_preview_image(request: Request, pk):
# This has to happen where because once we're in the playwright sync context the connection is invalidated
post.preview_image_generated_at = django.utils.timezone.now()
post.save()
from playwright.sync_api import sync_playwright
with sync_playwright() as p:

browser = p.chromium.launch(headless=True)
Expand Down
1 change: 0 additions & 1 deletion questions/services.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -374,7 +374,6 @@ def create_forecast(

def create_forecast_bulk(*, user: User = None, forecasts: list[dict] = None):
from posts.services.common import get_post_permission_for_user
from posts.tasks import run_on_post_forecast

posts = set()

Expand Down