restrict commenting

cloverfeed · Dec 18, 2014 · 4737c2d · 4737c2d
1 parent 470d8b9
commit 4737c2d
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 3 deletions.
diff --git a/app/models.py b/app/models.py
@@ -93,12 +93,18 @@ def pretty_name(self):
             pretty += ' (guest)'
         return pretty
 
-    def can_annotate(self, docid):
+    def can_act_on(self, docid):
         docid = int(docid)
         if self.role == ROLE_GUEST:
             return docid == self.only_doc_id
         return True
 
+    def can_annotate(self, docid):
+        return self.can_act_on(docid)
+
+    def can_comment_on(self, docid):
+        return self.can_act_on(docid)
+
 
 class Document(db.Model):
     """

diff --git a/app/tests.py b/app/tests.py
@@ -41,6 +41,7 @@ def _new_upload_id(self, filename):
         return koremutake.decode(docid)
 
     def test_upload(self):
+        r = self._login('a', 'a', signup=True)
         r = self._upload('toto.pdf')
         self.assertStatus(r, 302)
         m = re.search('/view/(\w+)', r.location)
@@ -298,11 +299,14 @@ def test_share_link(self):
         r = self.client.get(r.location)
         self.assertIn('Signed in as Bob (guest)', r.data)
 
-        self.assertTrue(self._can_annotate(docid))
-
         other_docid = self._new_upload_id('blabla.pdf')
+
+        self.assertTrue(self._can_annotate(docid))
         self.assertFalse(self._can_annotate(other_docid))
 
+        self.assertTrue(self._can_comment_on(docid))
+        self.assertFalse(self._can_comment_on(other_docid))
+
     def _can_annotate(self, docid):
         data = {'doc': docid,
                 'page': 2,
@@ -314,3 +318,13 @@ def _can_annotate(self, docid):
                 }
         r = self.client.post('/annotation/new', data=data)
         return r.status_code == 200
+
+    def _can_comment_on(self, docid):
+        comm = 'bla bla bla'
+        r = self.client.post('/comment/new',
+                             data={'docid': docid,
+                                   'comment': comm
+                                   },
+                             follow_redirects=True,
+                             )
+        return r.status_code == 200
diff --git a/app/views.py b/app/views.py
@@ -180,10 +180,13 @@ def post_comment():
     Create a new comment.
 
     :status 302: Redirects to the "view document" page.
+    :status 401: Not allowed to comment.
     """
     form = CommentForm()
     assert(form.validate_on_submit())
     docid = kore_id(form.docid.data)
+    if not (current_user.is_authenticated() and current_user.can_comment_on(docid)):
+        return Unauthorized()
     comm = Comment(docid, form.comment.data)
     db.session.add(comm)
     db.session.commit()