XWIKI-21730: Delete own comments should not require edit rights on page #2836
Conversation
* Changed the permission needed for the delete comment action to be displayed
Sereza7
added
the
backport stable-15.10.x
| @@ -184,7 +184,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true) | |||
| <a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow" | |||
| href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}" | |||
| title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a> | |||
| #if ($hasAdmin || ($hasEdit && $isUserComment)) | |||
| #if ($hasAdmin || ($xwiki.hasAccessLevel('comment') && $isUserComment)) | |||
There was a problem hiding this comment.
To be consistent I would reuse the same condition than the one used for editing a comment, which is right now #if($hasAdmin || $isUserComment) (see line 180).
* Added backend support for deletion of comments. This new action is very similar to regular object removal (which was the action used before), but is based on the Comment right instead of the Edit right. See this demo: https://youtu.be/LwnLWfZFYZw
|
Added backend support for deletion of comments. This new action is very similar to regular object removal (which was the action used before), but is based on the Comment right instead of the Edit right. Changes are mostly contained in the oldcore module, because that's where all the backend logic for actions used in those buttons was already contained. See a demo of this updated action. |
| @@ -184,7 +184,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true) | |||
| <a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow" | |||
| href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}" | |||
| title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a> | |||
| #if ($hasAdmin || ($hasEdit && $isUserComment)) | |||
| #if ($hasAdmin || $isUserComment) | |||
There was a problem hiding this comment.
What about introducing a new variable to use in both if for edit and delete? That way we ensure that we'll keep them consistent.
| * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA | ||
| * 02110-1301 USA, or see the FSF site: http://www.fsf.org. | ||
| */ | ||
| package com.xpn.xwiki.web; |
There was a problem hiding this comment.
Hmmm normally we shouldn't introduce new stuff in this package, we should instead put stuff in org.xwiki... package, even in oldcore... Now it would make this class far from the other actions, so I'm not sure here...
There was a problem hiding this comment.
- We need a new action for the map in XWikiCachingRightService. This means that we cannot just reuse another action.
- All actions are already here.
- The code I used in this class is very similar to
ObjectRemoveAction. It's mostly oldcore quality code. It'd probably need even more quality improvements to be anywhere else and I don't think it's worth spending that much time on rewriting it.
| try { | ||
| response.getWriter().write("failed"); | ||
| response.setContentLength(6); | ||
| } catch (IOException e) { |
There was a problem hiding this comment.
Note that most parts are the same as ObjectRemoveAction. This empty exception handle has been in this other file since 2008 so it seems like it's not a huge problem.
This is bad quality I agree.
I added a log similar to what was done in XWikiAction.java
Addressed in 767daac 👍
| response.setContentType("text/plain"); | ||
| try { | ||
| response.getWriter().write("failed"); | ||
| response.setContentLength(6); |
There was a problem hiding this comment.
Hmm really not a fan of this piece of code: at the very least "failed" should be in a String variable and you should eruse it also for the length. Now I'm not sure why you just answer "failed"?
There was a problem hiding this comment.
Note that this part is pretty much the same as ObjectRemoveAction.
I updated it and also changed ObjectRemoveAction to match these changes.
See 6edbec1 👍
| String changeComment = localizePlainOrReturnKey("core.comment.deleteComment"); | ||
|
|
||
| // Make sure the user is allowed to make this modification | ||
| context.getWiki().checkSavingDocument(userReference, doc, changeComment, true, context); |
There was a problem hiding this comment.
And this check is working if you don't have edit right on the doc?
There was a problem hiding this comment.
From what I can understand of this code I reused from ObjectRemoveAction, this does not check the rights of the current user but the state of the document (whether it's in a saveable state or not). I'm retesting things manually to make sure everything is alright.
There was a problem hiding this comment.
Okay, I finally figured it out. The authorisation to do this action is handled at the level of XWikiCachingRightService. This is also the reason why we need an independant action even thought it's pretty much the same as object deletion. From what I understand, one action can only be mapped to one right. Setting the other object editions to depend on the Comment right is wrong, we need to separate this into two actions.
There was a problem hiding this comment.
I can confirm this. I forgot to put the security .jar on my local instance and the action wouldn't go through (with edit rights disabled but comment rights enabled). Updating it as expected fixed the backend permission issue.
There was a problem hiding this comment.
I'm retesting things manually to make sure everything is alright.
Except for an oldcore exception that's unrelated to this PR, builds are okay.
| @Component | ||
| @Named("commentdelete") | ||
| @Singleton | ||
| public class CommentDeleteAction extends XWikiAction |
There was a problem hiding this comment.
A test class should be provided too.
There was a problem hiding this comment.
Added a test for this class.
For both the test and the new Java class, I made sure to reformat the code with XWiki standard on Intellij Idea
I successfully passed mvn clean install -f xwiki-platform-core/xwiki-platform-oldcore -Pquality. All that was reported by SonarLint on both of the files are the @MockComponent that are not used in the class , which is a false positive. They are needed for our test class to work properly.
Added the test class in 1579ded 👍
* Added a log on error of the AJAX write request
* Updated the render function on both ObjectRemoveAction and CommentDeleteAction
* Fixed codestyle * Added a test for the new action
|
This PR is ready for further reviewing. |
Sereza7
added
backport stable-16.10.x
and removed
backport stable-15.10.x
Jira URL
https://jira.xwiki.org/browse/XWIKI-21730
Changes
Description
Clarifications
Screenshots & Video
In order to test those changes, I registered as a regular user (named '123456'). With the admin user, I changed regular user rights at the wiki level: removed the Edit right and kept the Comment right.
We can see that the
deletebutton only appears after the changes in this PR. This is the behavior expected by the reporter of this ticket.Before PR:
After PR:
Executed Tests
None, this change only changes the presence of the button in specific right configurations (No edit right but comment right, different from the default Edit+comment rights). I could only see one reference to this in a pageobject. This function is used only once with regular logged in user rights (in here).
Manual tests were conducted successfully, see the screenshots above.
Expected merging strategy