[webui][api] added edit/delete functionality with permission checks

openSUSE · Aug 19, 2013 · ce30ce0 · ce30ce0 · coolo · Aug 25, 2013
1 parent c1f6110
commit ce30ce0
Show file tree

Hide file tree

Showing 17 changed files with 290 additions and 11 deletions.
diff --git a/src/api/app/controllers/webui/comments_controller.rb b/src/api/app/controllers/webui/comments_controller.rb
@@ -36,4 +36,19 @@ def requests_new
 		CommentRequest.save(params)
 		render_ok
 	end
+
+	def projects_update
+		CommentProject.update_comment(params)
+		render_ok
+	end
+
+	def packages_update
+		CommentPackage.update_comment(params)
+		render_ok
+	end
+
+	def requests_update
+		CommentRequest.update_comment(params)
+		render_ok
+	end
 end
diff --git a/src/api/app/models/comment.rb b/src/api/app/models/comment.rb
@@ -2,12 +2,17 @@ class Comment < ActiveRecord::Base
   belongs_to :project
   belongs_to :package
   belongs_to :bs_request
+
   class NoDataEnteredError < APIException
     setup 'no_data_entered', 403, "No data Entered"
   end
   class NoUserFound < APIException
     setup 'no_user_found', 403, "No user found"
   end
+  class WritePermissionError < APIException
+    setup "project_write_permission_error"
+  end
+
   def self.save(params)
     @comment = {}
   	@comment['title'] 	= params[:title]
@@ -23,4 +28,21 @@ def self.save(params)
       raise NoUserFound.new "No user found. Sign in before continuing."
     end
   end
+
+  def self.update_comment(params)
+
+    if params[:update_type] == 'edit' && User.current.login == params[:user]
+      self.update(params[:comment_id],:body => params[:body])
+    elsif params[:update_type] == 'delete' && @object_permission_check
+      self.update(params[:comment_id],:body => "Comment deleted.")
+    else
+      raise WritePermissionError, "You don't have the permissions to modify the content."
+    end
+
+    if params[:update_type] == 'edit' && params[:body].blank?
+      raise NoDataEnteredError.new "You didn't add a body to the comment." 
+    end
+
+  end
+
 end
diff --git a/src/api/app/models/comment_package.rb b/src/api/app/models/comment_package.rb
@@ -5,4 +5,10 @@ def self.save(params)
 		@comment['package_id'] = package.id
 		CommentPackage.create(@comment)
 	end
+
+	def self.update_comment(params)
+		package = Package.get_by_project_and_name(params[:project], params[:package])
+		@object_permission_check = (User.current.can_modify_package?(package) || User.current.is_admin? || User.current.login == params[:user])		
+		super
+	end
 end
diff --git a/src/api/app/models/comment_project.rb b/src/api/app/models/comment_project.rb
@@ -1,8 +1,15 @@
 class CommentProject < Comment
+
 	def self.save(params)
 		super
 		project = Project.get_by_name(params[:project])
 		@comment['project_id'] = project.id
 		CommentProject.create(@comment)
 	end
+
+	def self.update_comment(params)
+		project = Project.get_by_name(params[:project])
+		@object_permission_check = (User.current.can_modify_project?(project) || User.current.is_admin? || User.current.login == params[:user])		
+		super
+	end
 end
diff --git a/src/api/app/models/comment_request.rb b/src/api/app/models/comment_request.rb
@@ -4,4 +4,9 @@ def self.save(params)
 		@comment['bs_request_id'] = params[:request_id]
 		CommentRequest.create(@comment)
 	end
+
+	def self.update_comment(params)
+		@object_permission_check = (User.current.is_admin? || User.current.login == params[:user])		
+		super
+	end
 end
diff --git a/src/api/config/routes.rb b/src/api/config/routes.rb
@@ -355,6 +355,11 @@
       post 'comments/package/:project/:package/new' => 'comments#packages_new', constraints: cons
       post 'comments/request/:id/new' => 'comments#requests_new', constraints: cons
 
+      put 'comments/project/:project/update' => 'comments#projects_update', constraints: cons
+      put 'comments/package/:project/:package/update' => 'comments#packages_update', constraints: cons
+      put 'comments/request/:id/update' => 'comments#requests_update', constraints: cons
+
+
     end
 
     get "/404" => "main#notfound"

diff --git a/src/api/db/structure.sql b/src/api/db/structure.sql
@@ -419,8 +419,7 @@ CREATE TABLE `linked_packages` (
   `links_to_id` int(11) NOT NULL,
   `package_id` int(11) NOT NULL AUTO_INCREMENT,
   `updated_at` datetime DEFAULT NULL,
-  PRIMARY KEY (`package_id`),
-  KEY `index_linked_packages_on_links_to_id` (`links_to_id`)
+  PRIMARY KEY (`package_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
 
 CREATE TABLE `linked_projects` (
@@ -496,7 +495,6 @@ CREATE TABLE `packages` (
   `activity_index` float DEFAULT '100',
   `bcntsynctag` varchar(255) CHARACTER SET utf8 DEFAULT NULL,
   `develpackage_id` int(11) DEFAULT NULL,
-  `delta` tinyint(1) NOT NULL DEFAULT '1',
   PRIMARY KEY (`id`),
   UNIQUE KEY `packages_all_index` (`db_project_id`,`name`(255)),
   KEY `devel_package_id_index` (`develpackage_id`),
@@ -531,7 +529,6 @@ CREATE TABLE `projects` (
   `type_id` int(11) DEFAULT NULL,
   `maintenance_project_id` int(11) DEFAULT NULL,
   `develproject_id` int(11) DEFAULT NULL,
-  `delta` tinyint(1) NOT NULL DEFAULT '1',
   PRIMARY KEY (`id`),
   UNIQUE KEY `projects_name_index` (`name`(255)),
   KEY `updated_at_index` (`updated_at`),
@@ -1127,6 +1124,10 @@ INSERT INTO schema_migrations (version) VALUES ('20130619083665');
 
 INSERT INTO schema_migrations (version) VALUES ('20130621083665');
 
+INSERT INTO schema_migrations (version) VALUES ('20130624095423');
+
+INSERT INTO schema_migrations (version) VALUES ('20130626133922');
+
 INSERT INTO schema_migrations (version) VALUES ('20130626160000');
 
 INSERT INTO schema_migrations (version) VALUES ('20130627193722');

diff --git a/src/api/test/fixtures/comments.yml b/src/api/test/fixtures/comments.yml
@@ -2,11 +2,11 @@ project_comment_parent:
  id: 100
  title: Hurray
  body: I am making a comment
- project_id: 68576
+ project_id: 2042
  package_id:
  bs_request_id:
  parent_id:
- type: project
+ type: CommentProject
  user: Admin
  created_at: 2013-07-25 14:00:21.000000000 Z
  updated_at: 2013-07-25 14:00:21.000000000 Z
@@ -15,11 +15,37 @@ project_comment_reply:
  id: 101
  title:
  body: I am making a reply
- project_id: 68576
+ project_id: 2042
  package_id:
  bs_request_id:
  parent_id: 100
- type: project
+ type: CommentProject
  user: Admin
  created_at: 2013-07-25 15:00:21.000000000 Z
- updated_at: 2013-07-25 15:00:21.000000000 Z
+ updated_at: 2013-07-25 15:00:21.000000000 Z
+
+package_comment_parent:
+ id: 102
+ title: Hurray 2
+ body: I am making a comment 2
+ project_id:
+ package_id: 10094
+ bs_request_id:
+ parent_id:
+ type: CommentPackage
+ user: tom
+ created_at: 2013-07-25 14:00:21.000000000 Z
+ updated_at: 2013-07-25 14:00:21.000000000 Z
+
+request_comment_parent:
+ id: 103
+ title: Hurray 3
+ body: I am making a comment 3
+ project_id:
+ package_id:
+ bs_request_id: 1000
+ parent_id:
+ type: CommentRequest
+ user: tom
+ created_at: 2013-07-25 14:00:21.000000000 Z
+ updated_at: 2013-07-25 14:00:21.000000000 Z
diff --git a/src/api/test/functional/comments_controller_test.rb b/src/api/test/functional/comments_controller_test.rb
@@ -24,5 +24,72 @@ def test_show_and_post_comments_on_project
     post "/webui/comments/project/BaseDistro/new", {:project => "BaseDistro", :title => "This is a title"}
     assert_response 403
   end
+
+  def test_update_permissions_for_comments_on_project
+    reset_auth
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/project/BaseDistro/update", {:comment_id => 100, :update_type => 'delete', :user => 'tom', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+
+    # Test to see if another user can delete a comment he/she is not associated with
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/project/BaseDistro/update", {:comment_id => 100, :update_type => 'delete', :user => 'Iggy',:project => "BaseDistro", :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    # Test to see check permission on editing comments
+
+    put "/webui/comments/project/BaseDistro/update", {:comment_id => 100, :update_type => 'edit', :user => 'Iggy',:project => "BaseDistro", :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    put "/webui/comments/project/BaseDistro/update", {:comment_id => 100, :update_type => 'edit', :user => 'tom',:project => "BaseDistro", :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+  end
+
+  def test_update_permissions_for_comments_on_package
+    reset_auth
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/package/BaseDistro/pack1/update", {:comment_id => 102, :update_type => 'delete', :user => 'tom', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+
+    # Test to see if another user can delete a comment he/she is not associated with
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/package/BaseDistro/pack1/update", {:comment_id => 102, :update_type => 'delete', :user => 'Iggy', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    # Test to see check permission on editing comments
+
+    put "/webui/comments/package/BaseDistro/pack1/update", {:comment_id => 102, :update_type => 'edit', :user => 'Iggy', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    put "/webui/comments/package/BaseDistro/pack1/update", {:comment_id => 102, :update_type => 'edit', :user => 'tom', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+  end
+
+  def test_update_permissions_for_comments_on_request
+    reset_auth
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/request/1000/update", {:comment_id => 103, :update_type => 'delete', :user => 'tom', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+
+    # Test to see if another user can delete a comment he/she is not associated with
+    prepare_request_with_user "tom", "thunder"
+
+    put "/webui/comments/request/1000/update", {:comment_id => 103, :update_type => 'delete', :user => 'Iggy', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    # Test to see check permission on editing comments
+
+    put "/webui/comments/request/1000/update", {:comment_id => 103, :update_type => 'edit', :user => 'Iggy', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 400
+
+    put "/webui/comments/request/1000/update", {:comment_id => 103, :update_type => 'edit', :user => 'tom', :title => "This is a title", :body => "Comment deleted"}
+    assert_response 200
+  end
+
 end
 
diff --git a/src/webui/app/controllers/package_controller.rb b/src/webui/app/controllers/package_controller.rb
@@ -1111,6 +1111,29 @@ def save_comments
     end
   end
 
+  def update_comments
+    begin
+      unless params[:update] == 'true'
+        params[:project] = @project.name
+        params[:package] = @package.name
+        ApiDetails.update_comments(:update_comments_for_packages, params)
+
+        respond_to do |format|
+          format.js { render json: 'ok' }
+          format.html do
+            flash[:notice] = "Comment updated successfully"
+            redirect_to action: :comments
+          end
+        end
+      else
+        render_dialog
+      end
+    rescue ActiveXML::Transport::Error => e
+      flash[:error] = e.summary
+      redirect_to(:action => "comments", :project => params[:project], :package => params[:package]) and return
+    end
+  end
+
   private
 
   def file_available? url, max_redirects=5

diff --git a/src/webui/app/controllers/project_controller.rb b/src/webui/app/controllers/project_controller.rb
@@ -1294,6 +1294,28 @@ def save_comments
       redirect_to(:action => "comments", :project => params[:project]) and return
     end
   end
+
+  def update_comments
+    begin
+      unless params[:update] == 'true'
+        params[:project] = @project.name
+        ApiDetails.update_comments(:update_comments_for_projects, params)
+
+        respond_to do |format|
+          format.js { render json: 'ok' }
+          format.html do
+            flash[:notice] = "Comment updated successfully"
+            redirect_to action: :comments
+          end
+        end
+      else
+        render_dialog
+      end
+    rescue ActiveXML::Transport::Error => e
+      flash[:error] = e.summary
+      redirect_to(:action => "comments", :project => params[:project]) and return
+    end
+  end
 
   private
 

diff --git a/src/webui/app/controllers/request_controller.rb b/src/webui/app/controllers/request_controller.rb
@@ -317,6 +317,28 @@ def save_comments
     end
   end
 
+  def update_comments
+    begin
+      unless params[:update] == 'true'
+        params[:request_id] = params[:id]
+        ApiDetails.update_comments(:update_comments_for_requests, params)
+
+        respond_to do |format|
+          format.js { render json: 'ok' }
+          format.html do
+            flash[:notice] = "Comment updated successfully"
+            redirect_to action: :comments
+          end
+        end
+      else
+        render_dialog
+      end
+    rescue ActiveXML::Transport::Error => e
+      flash[:error] = e.summary
+      redirect_to(:action => "comments", :id => params[:request_id]) and return
+    end
+  end
+
 private
 
   def change_request(changestate, params)

diff --git a/src/webui/app/models/api_details.rb b/src/webui/app/models/api_details.rb
@@ -37,6 +37,19 @@ def self.save_comments(route_name, params)
     data
   end
 
+  def self.update_comments(route_name, params)
+    uri = "/webui/" +
+    case route_name.to_sym
+      when :update_comments_for_projects then "comments/project/#{params[:project]}/update"
+      when :update_comments_for_packages then "comments/package/#{params[:project]}/#{params[:package]}/update"
+      when :update_comments_for_requests then "comments/request/#{params[:request_id]}/update"
+    end
+
+    uri = URI(uri)
+    data = ActiveXML::transport.http_json :put, uri, params
+    data
+  end
+
   # Trying to mimic the names and params of Rails' url helpers
   def self.http_do(verb, route_name, *args)
     # FIXME: we need a better (real) implementation of nested routes