[Ready for Review] Feature: Replace v1 comment routes with v2 routes

api/comments/serializers.py

@@ -1,9 +1,11 @@
 from rest_framework import serializers as ser
 from framework.auth.core import Auth
+from framework.exceptions import PermissionsError
 from website.project.model import Comment, Node
 from rest_framework.exceptions import ValidationError, PermissionDenied
 from api.base.exceptions import InvalidModelValueError, Conflict
 from api.base.utils import absolute_reverse
+from api.base.settings import osf_settings
 from api.base.serializers import (JSONAPISerializer,
                                   TargetField,
                                   RelationshipField,
@@ -29,7 +31,7 @@ class CommentSerializer(JSONAPISerializer):
 
     id = IDField(source='_id', read_only=True)
     type = TypeField()
-    content = AuthorizedCharField(source='get_content')
+    content = AuthorizedCharField(source='get_content', required=True, max_length=osf_settings.COMMENT_MAXLENGTH)
 
     target = TargetField(link_type='related', meta={'type': 'get_target_type'})
     user = RelationshipField(related_view='users:user-detail', related_view_kwargs={'user_id': '<user._id>'})
@@ -41,23 +43,56 @@ class CommentSerializer(JSONAPISerializer):
     date_modified = ser.DateTimeField(read_only=True)
     modified = ser.BooleanField(read_only=True, default=False)
     deleted = ser.BooleanField(read_only=True, source='is_deleted', default=False)
+    is_abuse = ser.SerializerMethodField(help_text='Whether the current user reported this comment.')
+    has_children = ser.SerializerMethodField(help_text='Whether this comment has any replies.')
+    can_edit = ser.SerializerMethodField(help_text='Whether the current user can edit this comment.')
 
     # LinksField.to_representation adds link to "self"
     links = LinksField({})
 
     class Meta:
         type_ = 'comments'
 
+    def validate_content(self, value):
+        if value is None or not value.strip():
+            raise ValidationError('Comment cannot be empty.')
+        return value
+
+    def get_is_abuse(self, obj):
+        user = self.context['request'].user
+        if user.is_anonymous():
+            return False
+        return user._id in obj.reports
+
+    def get_can_edit(self, obj):
+        user = self.context['request'].user
+        if user.is_anonymous():
+            return False
+        return obj.user._id == user._id
+
+    def get_has_children(self, obj):
+        return bool(getattr(obj, 'commented', []))
+
     def update(self, comment, validated_data):
         assert isinstance(comment, Comment), 'comment must be a Comment'
         auth = Auth(self.context['request'].user)
         if validated_data:
             if 'get_content' in validated_data:
-                comment.edit(validated_data['get_content'], auth=auth, save=True)
+                content = validated_data.pop('get_content')
+                try:
+                    comment.edit(content, auth=auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to edit this comment.')
             if validated_data.get('is_deleted', None) is True:
-                comment.delete(auth, save=True)
+                try:
+                    comment.delete(auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to delete this comment.')
             elif comment.is_deleted:
-                comment.undelete(auth, save=True)
+                try:
+                    comment.undelete(auth, save=True)
+                except PermissionsError:
+                    raise PermissionDenied('Not authorized to undelete this comment.')
         return comment
 
     def get_target_type(self, obj):
@@ -81,7 +116,7 @@ def get_validated_target_type(self, obj):
         target_type = self.context['request'].data.get('target_type')
         expected_target_type = self.get_target_type(target)
         if target_type != expected_target_type:
-            raise Conflict('Invalid target type. Expected \"{0}\", got \"{1}.\"'.format(expected_target_type, target_type))
+            raise Conflict('Invalid target type. Expected "{0}", got "{1}."'.format(expected_target_type, target_type))
         return target_type
 
     def get_target(self, node_id, target_id):
@@ -112,10 +147,10 @@ def create(self, validated_data):
             )
         validated_data['target'] = target
         validated_data['content'] = validated_data.pop('get_content')
-        if node and node.can_comment(auth):
+        try:
             comment = Comment.create(auth=auth, **validated_data)
-        else:
-            raise PermissionDenied("Not authorized to comment on this project.")
+        except PermissionsError:
+            raise PermissionDenied('Not authorized to comment on this project.')
         return comment
 
 

api/comments/views.py

@@ -69,6 +69,9 @@ class CommentRepliesList(JSONAPIBaseView, generics.ListAPIView, CommentMixin, OD
         date_modified  iso8601 timestamp  timestamp when the comment was last updated
         modified       boolean            has this comment been edited?
         deleted        boolean            is this comment deleted?
+        is_abuse       boolean            has this comment been reported by the current user?
+        has_children   boolean            does this comment have replies?
+        can_edit       boolean            can the current user edit this comment?
 
     ##Links
 
@@ -141,6 +144,9 @@ class CommentDetail(JSONAPIBaseView, generics.RetrieveUpdateAPIView, CommentMixi
         date_modified  iso8601 timestamp  timestamp when the comment was last updated
         modified       boolean            has this comment been edited?
         deleted        boolean            is this comment deleted?
+        is_abuse       boolean            has this comment been reported by the current user?
+        has_children   boolean            does this comment have replies?
+        can_edit       boolean            can the current user edit this comment?
 
     ##Relationships
 

api/nodes/views.py

@@ -1770,6 +1770,9 @@ class NodeCommentsList(JSONAPIBaseView, generics.ListCreateAPIView, ODMFilterMix
         date_modified  iso8601 timestamp  timestamp when the comment was last updated
         modified       boolean            has this comment been edited?
         deleted        boolean            is this comment deleted?
+        is_abuse       boolean            has this comment been reported by the current user?
+        has_children   boolean            does this comment have replies?
+        can_edit       boolean            can the current user edit this comment?
 
     ##Links
 

api_tests/comments/views/test_comment_detail.py

@@ -2,8 +2,9 @@
 from nose.tools import *  # flake8: noqa
 
 from api.base.settings.defaults import API_BASE
+from api.base.settings import osf_settings
 from tests.base import ApiTestCase
-from tests.factories import ProjectFactory, AuthUserFactory, CommentFactory, RegistrationFactory
+from tests.factories import ProjectFactory, AuthUserFactory, CommentFactory, RegistrationFactory, PrivateLinkFactory
 
 
 class TestCommentDetailView(ApiTestCase):
@@ -67,6 +68,27 @@ def test_private_node_logged_out_user_cannot_view_comment(self):
         res = self.app.get(self.private_url, expect_errors=True)
         assert_equal(res.status_code, 401)
 
+    def test_private_node_user_with_private_link_can_see_comment(self):
+        self._set_up_private_project_with_comment()
+        private_link = PrivateLinkFactory(anonymous=False)
+        private_link.nodes.append(self.private_project)
+        private_link.save()
+        res = self.app.get('/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key}, expect_errors=True)
+        assert_equal(res.status_code, 200)
+        assert_equal(self.comment._id, res.json['data']['id'])
+        assert_equal(self.comment.content, res.json['data']['attributes']['content'])
+
+    def test_private_node_user_with_anonymous_link_cannot_see_commenter_info(self):
+        self._set_up_private_project_with_comment()
+        private_link = PrivateLinkFactory(anonymous=True)
+        private_link.nodes.append(self.private_project)
+        private_link.save()
+        res = self.app.get('/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key}, expect_errors=True)
+        assert_equal(res.status_code, 200)
+        assert_equal(self.comment._id, res.json['data']['id'])
+        assert_equal(self.comment.content, res.json['data']['attributes']['content'])
+        assert_not_in('user', res.json['data']['relationships'])
+
     def test_public_node_logged_in_contributor_can_view_comment(self):
         self._set_up_public_project_with_comment()
         res = self.app.get(self.public_url, auth=self.user.auth)
@@ -88,6 +110,15 @@ def test_public_node_logged_out_user_can_view_comment(self):
         assert_equal(self.public_comment._id, res.json['data']['id'])
         assert_equal(self.public_comment.content, res.json['data']['attributes']['content'])
 
+    def test_public_node_user_with_private_link_can_view_comment(self):
+        self._set_up_public_project_with_comment()
+        private_link = PrivateLinkFactory(anonymous=False)
+        private_link.nodes.append(self.public_project)
+        private_link.save()
+        res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True)
+        assert_equal(self.public_comment._id, res.json['data']['id'])
+        assert_equal(self.public_comment.content, res.json['data']['attributes']['content'])
+
     def test_registration_logged_in_contributor_can_view_comment(self):
         self._set_up_registration_with_comment()
         res = self.app.get(self.registration_url, auth=self.user.auth)
@@ -193,6 +224,39 @@ def test_public_node_non_contributor_commenter_can_update_comment(self):
         assert_equal(res.status_code, 200)
         assert_equal(payload['data']['attributes']['content'], res.json['data']['attributes']['content'])
 
+    def test_update_comment_cannot_exceed_max_length(self):
+        self._set_up_private_project_with_comment()
+        payload = {
+            'data': {
+                'id': self.comment._id,
+                'type': 'comments',
+                'attributes': {
+                    'content': ''.join(['c' for c in range(osf_settings.COMMENT_MAXLENGTH + 1)]),
+                    'deleted': False
+                }
+            }
+        }
+        res = self.app.put_json_api(self.private_url, payload, auth=self.user.auth, expect_errors=True)
+        assert_equal(res.status_code, 400)
+        assert_equal(res.json['errors'][0]['detail'],
+                     'Ensure this field has no more than {} characters.'.format(str(osf_settings.COMMENT_MAXLENGTH)))
+
+    def test_update_comment_cannot_be_empty(self):
+        self._set_up_private_project_with_comment()
+        payload = {
+            'data': {
+                'id': self.comment._id,
+                'type': 'comments',
+                'attributes': {
+                    'content': '',
+                    'deleted': False
+                }
+            }
+        }
+        res = self.app.put_json_api(self.private_url, payload, auth=self.user.auth, expect_errors=True)
+        assert_equal(res.status_code, 400)
+        assert_equal(res.json['errors'][0]['detail'], 'This field may not be blank.')
+
     def test_private_node_only_logged_in_contributor_commenter_can_delete_comment(self):
         self._set_up_private_project_with_comment()
         comment = CommentFactory(node=self.private_project, target=self.private_project, user=self.user)
@@ -446,6 +510,32 @@ def test_private_node_logged_out_user_cannot_see_deleted_comment(self):
         res = self.app.get(url, expect_errors=True)
         assert_equal(res.status_code, 401)
 
+    def test_private_node_view_only_link_user_cannot_see_deleted_comment(self):
+        self._set_up_private_project_with_comment()
+        self.comment.is_deleted = True
+        self.comment.save()
+
+        private_link = PrivateLinkFactory(anonymous=False)
+        private_link.nodes.append(self.private_project)
+        private_link.save()
+
+        res= self.app.get('/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': private_link.key}, expect_errors=True)
+        assert_equal(res.status_code, 200)
+        assert_is_none(res.json['data']['attributes']['content'])
+
+    def test_private_node_anonymous_view_only_link_user_cannot_see_deleted_comment(self):
+        self._set_up_private_project_with_comment()
+        self.comment.is_deleted = True
+        self.comment.save()
+
+        anonymous_link = PrivateLinkFactory(anonymous=True)
+        anonymous_link.nodes.append(self.private_project)
+        anonymous_link.save()
+
+        res= self.app.get('/{}comments/{}/'.format(API_BASE, self.comment._id), {'view_only': anonymous_link.key}, expect_errors=True)
+        assert_equal(res.status_code, 200)
+        assert_is_none(res.json['data']['attributes']['content'])
+
     def test_public_node_only_logged_in_commenter_can_view_deleted_comment(self):
         public_project = ProjectFactory(is_public=True, creator=self.user)
         comment = CommentFactory(node=public_project, target=public_project, user=self.user)
@@ -485,3 +575,16 @@ def test_public_node_logged_out_user_cannot_view_deleted_comments(self):
         res = self.app.get(url)
         assert_equal(res.status_code, 200)
         assert_is_none(res.json['data']['attributes']['content'])
+
+    def test_public_node_view_only_link_user_cannot_see_deleted_comment(self):
+        self._set_up_public_project_with_comment()
+        self.public_comment.is_deleted = True
+        self.public_comment.save()
+
+        private_link = PrivateLinkFactory(anonymous=False)
+        private_link.nodes.append(self.public_project)
+        private_link.save()
+
+        res = self.app.get('/{}comments/{}/'.format(API_BASE, self.public_comment._id), {'view_only': private_link.key}, expect_errors=True)
+        assert_equal(res.status_code, 200)
+        assert_is_none(res.json['data']['attributes']['content'])

api_tests/nodes/views/test_node_comments_list.py

@@ -4,6 +4,7 @@
 from framework.auth import core
 
 from api.base.settings.defaults import API_BASE
+from api.base.settings import osf_settings
 from tests.base import ApiTestCase
 from tests.factories import (
     ProjectFactory,
@@ -12,6 +13,7 @@
     CommentFactory,
     RetractedRegistrationFactory
 )
+from website.util.sanitize import strip_html
 
 
 class TestNodeCommentsList(ApiTestCase):
@@ -406,6 +408,73 @@ def test_create_comment_no_content(self):
         assert_equal(res.json['errors'][0]['detail'], 'This field may not be blank.')
         assert_equal(res.json['errors'][0]['source']['pointer'], '/data/attributes/content')
 
+    def test_create_comment_trims_whitespace(self):
+        self._set_up_private_project()
+        payload = {
+            'data': {
+                'type': 'comments',
+                'attributes': {
+                    'content': '   '
+                },
+                'relationships': {
+                    'target': {
+                        'data': {
+                            'type': 'nodes',
+                            'id': self.private_project._id
+                        }
+                    }
+                }
+            }
+        }
+        res = self.app.post_json_api(self.private_url, payload, auth=self.user.auth, expect_errors=True)
+        assert_equal(res.status_code, 400)
+        assert_equal(res.json['errors'][0]['detail'], 'Comment cannot be empty.')
+
+    def test_create_comment_sanitizes_input(self):
+        self._set_up_private_project()
+        payload = {
+            'data': {
+                'type': 'comments',
+                'attributes': {
+                    'content': '<em>Cool</em> <strong>Comment</strong>'
+                },
+                'relationships': {
+                    'target': {
+                        'data': {
+                            'type': 'nodes',
+                            'id': self.private_project._id
+                        }
+                    }
+                }
+            }
+        }
+        res = self.app.post_json_api(self.private_url, payload, auth=self.user.auth)
+        assert_equal(res.status_code, 201)
+        assert_equal(res.json['data']['attributes']['content'], strip_html(payload['data']['attributes']['content']))
+
+    def test_create_comment_exceeds_max_length(self):
+        self._set_up_private_project()
+        payload = {
+            'data': {
+                'type': 'comments',
+                'attributes': {
+                    'content': (''.join(['c' for c in range(osf_settings.COMMENT_MAXLENGTH + 1)]))
+                },
+                'relationships': {
+                    'target': {
+                        'data': {
+                            'type': 'nodes',
+                            'id': self.private_project._id
+                        }
+                    }
+                }
+            }
+        }
+        res = self.app.post_json_api(self.private_url, payload, auth=self.user.auth, expect_errors=True)
+        assert_equal(res.status_code, 400)
+        assert_equal(res.json['errors'][0]['detail'],
+                     'Ensure this field has no more than {} characters.'.format(str(osf_settings.COMMENT_MAXLENGTH)))
+
     def test_create_comment_invalid_target_node(self):
         url = '/{}nodes/{}/comments/'.format(API_BASE, 'abcde')
         payload = self._set_up_payload('abcde')

framework/mongo/validators.py

@@ -6,7 +6,7 @@
 
 
 def string_required(value):
-    if value is None or value == '':
+    if value is None or value.strip() == '':
         raise ValidationValueError('Value must not be empty.')
     return True