Add permissions checks to comment model methods

Handle PermissionsErrors in comment serializer
methods.

Author: samanehsan

api/comments/serializers.py

@@ -1,5 +1,6 @@
 from rest_framework import serializers as ser
 from framework.auth.core import Auth
+from framework.exceptions import PermissionsError
 from website.project.model import Comment, Node
 from rest_framework.exceptions import ValidationError, PermissionDenied
 from api.base.exceptions import InvalidModelValueError, Conflict
@@ -78,11 +79,20 @@ def update(self, comment, validated_data):
         if validated_data:
             if 'get_content' in validated_data:
                 content = validated_data.pop('get_content')
-                comment.edit(content, auth=auth, save=True)
+                try:
+                    comment.edit(content, auth=auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to edit this comment.')
             if validated_data.get('is_deleted', None) is True:
-                comment.delete(auth, save=True)
+                try:
+                    comment.delete(auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to delete this comment.')
             elif comment.is_deleted:
-                comment.undelete(auth, save=True)
+                try:
+                    comment.undelete(auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to undelete this comment.')
         return comment
 
     def get_target_type(self, obj):
@@ -136,10 +146,11 @@ def create(self, validated_data):
                 detail='Invalid comment target \'{}\'.'.format(target_id)
             )
         validated_data['target'] = target
-        if node and node.can_comment(auth):
+        validated_data['content'] = validated_data.pop('get_content')
+        try:
             comment = Comment.create(auth=auth, **validated_data)
-        else:
-            raise PermissionDenied("Not authorized to comment on this project.")
+        except PermissionsError:
+            raise PermissionDenied('Not authorized to comment on this project.')
         return comment
 
 

website/project/model.py

@@ -234,6 +234,8 @@ def find_unread(cls, user, node):
     @classmethod
     def create(cls, auth, **kwargs):
         comment = cls(**kwargs)
+        if not comment.node.can_comment(auth):
+            raise PermissionsError('{0!r} does not have permission to comment on this node'.format(auth.user))
         comment.save()
 
         comment.node.add_log(
@@ -254,6 +256,8 @@ def create(cls, auth, **kwargs):
         return comment
 
     def edit(self, content, auth, save=False):
+        if not self.node.can_comment(auth) or self.user._id != auth.user._id:
+            raise PermissionsError('{0!r} does not have permission to edit this comment'.format(auth.user))
         self.content = content
         self.modified = True
         self.node.add_log(
@@ -271,6 +275,8 @@ def edit(self, content, auth, save=False):
             self.save()
 
     def delete(self, auth, save=False):
+        if not self.node.can_comment(auth) or self.user._id != auth.user._id:
+            raise PermissionsError('{0!r} does not have permission to comment on this node'.format(auth.user))
         self.is_deleted = True
         self.node.add_log(
             NodeLog.COMMENT_REMOVED,
@@ -287,6 +293,8 @@ def delete(self, auth, save=False):
             self.save()
 
     def undelete(self, auth, save=False):
+        if not self.node.can_comment(auth) or self.user._id != auth.user._id:
+            raise PermissionsError('{0!r} does not have permission to comment on this node'.format(auth.user))
         self.is_deleted = False
         self.node.add_log(
             NodeLog.COMMENT_ADDED,