From 7d8e59a81e052c7b87dda7e2fb1809167c4974bf Mon Sep 17 00:00:00 2001 From: Adam Coldrick Date: Wed, 6 Jul 2016 10:12:19 +0000 Subject: [PATCH] Allow editing and deletion of comments to be disabled This commit adds a configuration option which must be set in order to enable users to edit their comments, and enable superusers to delete comments. The option, `enable_editable_comments`, is False by default, meaning that the editing and deletion functionality must be opted into. If it is False, then only a database admin can delete or edit comments, by modifying the database directly. Change-Id: Iabf598eae3aa35e4e53aadfe514fb2b0da37cefc --- etc/storyboard.conf.sample | 4 ++++ storyboard/api/app.py | 5 ++++- storyboard/api/v1/timeline.py | 6 ++++++ storyboard/tests/api/test_comments.py | 7 ++----- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/etc/storyboard.conf.sample b/etc/storyboard.conf.sample index 427037df..98cc8082 100644 --- a/etc/storyboard.conf.sample +++ b/etc/storyboard.conf.sample @@ -41,6 +41,10 @@ lock_path = $state_path/lock # and subscriptions. # enable_notifications = True +# Enable editing/deletion of comments. When enabled, users can edit their own +# comments and admins can delete comments. +# enable_editable_comments = True + [oauth] # StoryBoard's oauth configuration. diff --git a/storyboard/api/app.py b/storyboard/api/app.py index 7d68dbef..d482392d 100644 --- a/storyboard/api/app.py +++ b/storyboard/api/app.py @@ -52,7 +52,10 @@ API_OPTS = [ help='API port'), cfg.BoolOpt('enable_notifications', default=False, - help='Enable Notifications') + help='Enable Notifications'), + cfg.BoolOpt('enable_editable_comments', + default=False, + help='Enable editing and deletion of comments') ] CORS_OPTS = [ cfg.ListOpt('allowed_origins', diff --git a/storyboard/api/v1/timeline.py b/storyboard/api/v1/timeline.py index b9de6496..6df84449 100644 --- a/storyboard/api/v1/timeline.py +++ b/storyboard/api/v1/timeline.py @@ -246,6 +246,9 @@ class CommentsController(rest.RestController): :param comment_id: The id of a Comment to be updated. :param comment_body: An updated Comment. """ + if not CONF.enable_editable_comments: + abort(405, _("Editing of comments is disabled " + "by the server administrator.")) comments_api.comment_get(comment_id) comment_author_id = events_api.events_get_all( @@ -269,6 +272,9 @@ class CommentsController(rest.RestController): :param story_id: A placeholder. :param comment_id: The id of a Comment to be updated. """ + if not CONF.enable_editable_comments: + abort(405, _("Deletion of comments is disabled " + "by the server administrator.")) comments_api.comment_delete(comment_id) diff --git a/storyboard/tests/api/test_comments.py b/storyboard/tests/api/test_comments.py index e7904665..d038ad85 100644 --- a/storyboard/tests/api/test_comments.py +++ b/storyboard/tests/api/test_comments.py @@ -61,9 +61,6 @@ class TestComments(base.FunctionalTest): update_url = self.comments_resource % self.story_id + \ "/%d" % original_id - updated = self.put_json(update_url, delta) + response = self.put_json(update_url, delta, expect_errors=True) - original_content = self.comment_01['content'] - updated_content = updated.json['content'] - - self.assertNotEqual(original_content, updated_content) + self.assertEqual(405, response.status_code)