[FIX] website_slides: only allow for a single review per user

Once a user posts a review, they are able to edit this single review and not create any new ones. However if the user had multiple tabs open of the same course, then they can still access the "Add a review" functionality. This fix enforces the single review per user per course policy. Task-3721958 closes odoo#156137 X-original-commit: 92afd78 Signed-off-by: Stéphane Debauche (std) <std@odoo.com> Signed-off-by: Bram Van Gaal (brvg) <brvg@odoo.com>
odoo-dev · Mar 1, 2024 · 7ba07df · 7ba07df
1 parent 17c6c40
commit 7ba07df
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 3 deletions.
diff --git a/addons/website_slides/controllers/mail.py b/addons/website_slides/controllers/mail.py
@@ -4,8 +4,9 @@
 import werkzeug
 
 from werkzeug.exceptions import NotFound, Forbidden
+from odoo.exceptions import ValidationError
 
-from odoo import http
+from odoo import _, http
 from odoo.http import request
 from odoo.addons.portal.controllers.mail import _check_special_access, PortalChatter
 from odoo.tools import plaintext2html, html2plaintext
@@ -22,12 +23,18 @@ def _portal_post_has_content(self, res_model, res_id, message, attachment_ids=No
 
     @http.route(['/mail/chatter_post'], type='json', methods=['POST'], auth='public', website=True)
     def portal_chatter_post(self, res_model, res_id, message, **kw):
+        previous_post = request.env['mail.message'].search([('res_id', '=', res_id),
+                                                            ('author_id', '=', request.env.user.partner_id.id),
+                                                            ('model', '=', 'slide.channel'),
+                                                            ('subtype_id', '=', request.env.ref('mail.mt_comment').id)])
+        if previous_post:
+            raise ValidationError(_("Only a single review can be posted per course."))
+
         result = super(SlidesPortalChatter, self).portal_chatter_post(res_model, res_id, message, **kw)
         if result and res_model == 'slide.channel':
             rating_value = kw.get('rating_value', False)
             slide_channel = request.env[res_model].sudo().browse(int(res_id))
             if rating_value and slide_channel and request.env.user.partner_id.id == int(kw.get('pid')):
-                # apply karma gain rule only once
                 request.env.user.add_karma(slide_channel.karma_gen_channel_rank)
             result.update({
                 'default_rating_value': rating_value,

diff --git a/addons/website_slides/i18n/website_slides.pot b/addons/website_slides/i18n/website_slides.pot
@@ -4127,6 +4127,12 @@ msgstr ""
 msgid "Open To All"
 msgstr ""
 
+#. module: website_slides
+#: code:addons/website_slides/controllers/mail.py:0
+#, python-format
+msgid "Only a single review can be posted per course."
+msgstr ""
+
 #. module: website_slides
 #: model:ir.model.fields,help:website_slides.field_slide_channel_invite__lang
 msgid ""

diff --git a/addons/website_slides/tests/test_security.py b/addons/website_slides/tests/test_security.py
@@ -2,10 +2,11 @@
 # Part of Odoo. See LICENSE file for full copyright and licensing details.
 import base64
 
+from odoo import http
 from odoo.addons.mail.tests.common import mail_new_test_user
 from odoo.addons.website_slides.tests import common
 from odoo.exceptions import AccessError
-from odoo.tests import tagged
+from odoo.tests import tagged, HttpCase
 from odoo.tools import mute_logger
 
 
@@ -365,3 +366,41 @@ def test_resource_access(self):
         resource2.with_user(self.user_manager).write({'name': 'Another name'})
         resource2.with_user(self.user_manager).unlink()
         self.env['slide.slide.resource'].with_user(self.user_manager).create(resource_values)
+
+
+@tagged('functional')
+class TestReview(common.SlidesCase, HttpCase):
+    @mute_logger('odoo.addons.http_routing.models.ir_http', 'odoo.http')
+    def test_channel_multiple_reviews(self):
+        self.authenticate("admin", "admin")
+
+        res1 = self.opener.post(
+            url='%s/mail/chatter_post' % self.base_url(),
+            json={
+                'params': {
+                    'res_id': self.channel.id,
+                    'res_model': 'slide.channel',
+                    'message': 'My first review :)',
+                    'rating_value': '2',
+                    'pid': self.env.user.partner_id.id,
+                    'csrf_token': http.Request.csrf_token(self),
+                },
+            },
+        )
+        self.assertIn("My first review :)", res1.text)
+
+
+        res2 = self.opener.post(
+            url='%s/mail/chatter_post' % self.base_url(),
+            json={
+                'params': {
+                    'res_id': self.channel.id,
+                    'res_model': 'slide.channel',
+                    'message': 'My second review :)',
+                    'rating_value': '2',
+                    'pid': self.env.user.partner_id.id,
+                    'csrf_token': http.Request.csrf_token(self),
+                },
+            },
+        )
+        self.assertIn("odoo.exceptions.ValidationError", res2.text)