From 8eca9d970200291cef47d940b82c9c0561320992 Mon Sep 17 00:00:00 2001
From: Thomas Citharel <tcit@tcit.fr>
Date: Mon, 5 Oct 2020 17:42:53 +0200
Subject: [PATCH] Make sure only organizer actor can comment if event comments
 are disabled

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
---
 js/src/components/Comment/CommentTree.vue |  35 +++--
 lib/graphql/resolvers/comment.ex          |  18 ++-
 lib/graphql/schema/discussions/comment.ex |   2 +-
 test/graphql/resolvers/comment_test.exs   | 158 ++++++++++++----------
 4 files changed, 130 insertions(+), 83 deletions(-)

diff --git a/js/src/components/Comment/CommentTree.vue b/js/src/components/Comment/CommentTree.vue
index 32f726682..de4aa8a6b 100644
--- a/js/src/components/Comment/CommentTree.vue
+++ b/js/src/components/Comment/CommentTree.vue
@@ -2,7 +2,7 @@
   <div>
     <form
       class="new-comment"
-      v-if="currentActor.id && event.options.commentModeration !== CommentModeration.CLOSED"
+      v-if="isAbleToComment"
       @submit.prevent="createCommentForEvent(newComment)"
       @keyup.ctrl.enter="createCommentForEvent(newComment)"
     >
@@ -22,11 +22,7 @@
         </div>
       </article>
     </form>
-    <b-notification
-      v-else-if="event.options.commentModeration === CommentModeration.CLOSED"
-      :closable="false"
-      >{{ $t("Comments have been closed.") }}</b-notification
-    >
+    <b-notification v-else :closable="false">{{ $t("Comments have been closed.") }}</b-notification>
     <transition name="comment-empty-list" mode="out-in">
       <transition-group name="comment-list" v-if="comments.length" class="comment-list" tag="ul">
         <comment
@@ -51,7 +47,6 @@
 import { Prop, Vue, Component, Watch } from "vue-property-decorator";
 import Comment from "@/components/Comment/Comment.vue";
 import IdentityPickerWrapper from "@/views/Account/IdentityPickerWrapper.vue";
-import { SnackbarProgrammatic as Snackbar } from "buefy";
 import { CommentModel, IComment } from "../../types/comment.model";
 import {
   CREATE_COMMENT_FROM_EVENT,
@@ -190,8 +185,11 @@ export default class CommentTree extends Vue {
 
       // and reset the new comment field
       this.newComment = new CommentModel();
-    } catch (e) {
-      Snackbar.open({ message: e.message, type: "is-danger", position: "is-bottom" });
+    } catch (error) {
+      console.error(error);
+      if (error.graphQLErrors && error.graphQLErrors.length > 0) {
+        this.$notifier.error(error.graphQLErrors[0].message);
+      }
     }
   }
 
@@ -260,8 +258,11 @@ export default class CommentTree extends Vue {
         },
       });
       // this.comments = this.comments.filter(commentItem => commentItem.id !== comment.id);
-    } catch (e) {
-      Snackbar.open({ message: e.message, type: "is-danger", position: "is-bottom" });
+    } catch (error) {
+      console.error(error);
+      if (error.graphQLErrors && error.graphQLErrors.length > 0) {
+        this.$notifier.error(error.graphQLErrors[0].message);
+      }
     }
   }
 
@@ -279,6 +280,18 @@ export default class CommentTree extends Vue {
   get filteredOrderedComments(): IComment[] {
     return this.orderedComments.filter((comment) => !comment.deletedAt || comment.totalReplies > 0);
   }
+
+  get isAbleToComment(): boolean {
+    if (this.currentActor.id) {
+      if (
+        this.event.options.commentModeration !== CommentModeration.CLOSED ||
+        (this.event.organizerActor && this.currentActor.id === this.event.organizerActor.id)
+      ) {
+        return true;
+      }
+    }
+    return false;
+  }
 }
 </script>
 
diff --git a/lib/graphql/resolvers/comment.ex b/lib/graphql/resolvers/comment.ex
index 49c491543..d374f054a 100644
--- a/lib/graphql/resolvers/comment.ex
+++ b/lib/graphql/resolvers/comment.ex
@@ -3,9 +3,10 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do
   Handles the comment-related GraphQL calls.
   """
 
-  alias Mobilizon.{Actors, Admin, Discussions}
+  alias Mobilizon.{Actors, Admin, Discussions, Events}
   alias Mobilizon.Actors.Actor
   alias Mobilizon.Discussions.Comment, as: CommentModel
+  alias Mobilizon.Events.{Event, EventOptions}
   alias Mobilizon.Users
   alias Mobilizon.Users.User
   import Mobilizon.Web.Gettext
@@ -20,7 +21,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do
 
   def create_comment(
         _parent,
-        %{actor_id: actor_id} = args,
+        %{actor_id: actor_id, event_id: event_id} = args,
         %{
           context: %{
             current_user: %User{} = user
@@ -28,10 +29,23 @@ defmodule Mobilizon.GraphQL.Resolvers.Comment do
         }
       ) do
     with {:is_owned, %Actor{} = _organizer_actor} <- User.owns_actor(user, actor_id),
+         {:find_event,
+          {:ok,
+           %Event{
+             options: %EventOptions{comment_moderation: comment_moderation},
+             organizer_actor_id: organizer_actor_id
+           }}} <-
+           {:find_event, Events.get_event(event_id)},
+         {actor_id, ""} <- Integer.parse(actor_id),
+         {:allowed, true} <-
+           {:allowed, comment_moderation != :closed || actor_id == organizer_actor_id},
          {:ok, _, %CommentModel{} = comment} <-
            Comments.create_comment(args) do
       {:ok, comment}
     else
+      {:allowed, false} ->
+        {:error, :unauthorized}
+
       {:is_owned, nil} ->
         {:error, dgettext("errors", "Profile is not owned by authenticated user")}
     end
diff --git a/lib/graphql/schema/discussions/comment.ex b/lib/graphql/schema/discussions/comment.ex
index 6103076b0..c5b77969e 100644
--- a/lib/graphql/schema/discussions/comment.ex
+++ b/lib/graphql/schema/discussions/comment.ex
@@ -66,7 +66,7 @@ defmodule Mobilizon.GraphQL.Schema.Discussions.CommentType do
     @desc "Create a comment"
     field :create_comment, type: :comment do
       arg(:text, non_null(:string))
-      arg(:event_id, :id)
+      arg(:event_id, non_null(:id))
       arg(:in_reply_to_comment_id, :id)
       arg(:actor_id, non_null(:id))
 
diff --git a/test/graphql/resolvers/comment_test.exs b/test/graphql/resolvers/comment_test.exs
index 95af0de91..f07282db1 100644
--- a/test/graphql/resolvers/comment_test.exs
+++ b/test/graphql/resolvers/comment_test.exs
@@ -3,9 +3,11 @@ defmodule Mobilizon.GraphQL.Resolvers.CommentTest do
 
   import Mobilizon.Factory
 
+  alias Mobilizon.Events
+  alias Mobilizon.Events.{Event, EventOptions}
   alias Mobilizon.GraphQL.AbsintheHelpers
 
-  @comment %{text: "I love this event"}
+  @comment_text "I love this event"
 
   setup %{conn: conn} do
     user = insert(:user)
@@ -16,75 +18,104 @@ defmodule Mobilizon.GraphQL.Resolvers.CommentTest do
   end
 
   describe "Comment Resolver" do
+    @create_comment_mutation """
+    mutation CreateComment($text: String!, $actorId: ID, $eventId: ID, $inReplyToCommentId: ID) {
+      createComment(text: $text, actorId: $actorId, eventId: $eventId, inReplyToCommentId: $inReplyToCommentId) {
+        id,
+        text,
+        uuid,
+        inReplyToComment {
+          id,
+          text
+        }
+      }
+    }
+    """
+
     test "create_comment/3 creates a comment", %{
       conn: conn,
       actor: actor,
       user: user,
       event: event
     } do
-      mutation = """
-          mutation {
-              createComment(
-                  text: "#{@comment.text}",
-                  actor_id: "#{actor.id}",
-                  event_id: "#{event.id}"
-              ) {
-                text,
-                uuid
-              }
-            }
-      """
-
       res =
         conn
         |> auth_conn(user)
-        |> AbsintheHelpers.graphql_query(query: mutation, variables: %{})
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{text: @comment_text, actorId: actor.id, eventId: event.id}
+        )
 
-      assert res["data"]["createComment"]["text"] == @comment.text
+      assert res["data"]["createComment"]["text"] == @comment_text
     end
 
-    test "create_comment/3 checks that user owns actor", %{conn: conn, user: user} do
+    test "create_comment/3 checks that user owns actor", %{conn: conn, user: user, event: event} do
       actor = insert(:actor)
 
-      mutation = """
-          mutation {
-              createComment(
-                  text: "#{@comment.text}",
-                  actor_id: "#{actor.id}"
-              ) {
-                text,
-                uuid
-              }
-            }
-      """
-
       res =
         conn
         |> auth_conn(user)
-        |> AbsintheHelpers.graphql_query(query: mutation, variables: %{})
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{text: @comment_text, actorId: actor.id, eventId: event.id}
+        )
 
       assert hd(res["errors"])["message"] ==
                "Profile is not owned by authenticated user"
     end
 
-    test "create_comment/3 requires that the user needs to be authenticated", %{conn: conn} do
-      actor = insert(:actor)
-
-      mutation = """
-          mutation {
-              createComment(
-                  text: "#{@comment.text}",
-                  actor_id: "#{actor.id}"
-              ) {
-                text,
-                uuid
-              }
-            }
-      """
+    test "create_comment/3 doesn't allow creating events if it's disabled", %{
+      conn: conn,
+      actor: actor,
+      user: user,
+      event: event
+    } do
+      {:ok, %Event{options: %EventOptions{comment_moderation: :closed}}} =
+        Events.update_event(event, %{options: %{comment_moderation: :closed}})
 
       res =
         conn
-        |> AbsintheHelpers.graphql_query(query: mutation, variables: %{})
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{text: @comment_text, actorId: actor.id, eventId: event.id}
+        )
+
+      assert hd(res["errors"])["message"] ==
+               "You don't have permission to do this"
+    end
+
+    test "create_comment/3 allows creating events if it's disabled but we're the organizer", %{
+      conn: conn,
+      actor: actor,
+      user: user
+    } do
+      event = insert(:event, organizer_actor: actor, options: %{comment_moderation: :closed})
+
+      res =
+        conn
+        |> auth_conn(user)
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{text: @comment_text, actorId: actor.id, eventId: event.id}
+        )
+
+      assert is_nil(res["errors"])
+      assert res["data"]["createComment"]["text"] == @comment_text
+    end
+
+    test "create_comment/3 requires that the user needs to be authenticated", %{
+      conn: conn,
+      event: event
+    } do
+      actor = insert(:actor)
+
+      res =
+        conn
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{text: @comment_text, actorId: actor.id, eventId: event.id}
+        )
 
       assert hd(res["errors"])["message"] ==
                "You are not allowed to create a comment if not connected"
@@ -98,35 +129,24 @@ defmodule Mobilizon.GraphQL.Resolvers.CommentTest do
     } do
       comment = insert(:comment)
 
-      mutation = """
-          mutation {
-              createComment(
-                  text: "#{@comment.text}",
-                  actor_id: "#{actor.id}",
-                  event_id: "#{event.id}",
-                  in_reply_to_comment_id: "#{comment.id}"
-              ) {
-                id,
-                text,
-                uuid,
-                in_reply_to_comment {
-                  id,
-                  text
-                }
-              }
-            }
-      """
-
       res =
         conn
         |> auth_conn(user)
-        |> AbsintheHelpers.graphql_query(query: mutation, variables: %{})
+        |> AbsintheHelpers.graphql_query(
+          query: @create_comment_mutation,
+          variables: %{
+            text: @comment_text,
+            actorId: actor.id,
+            eventId: event.id,
+            inReplyToCommentId: comment.id
+          }
+        )
 
-      assert res["errors"] == nil
-      assert res["data"]["createComment"]["text"] == @comment.text
+      assert is_nil(res["errors"])
+      assert res["data"]["createComment"]["text"] == @comment_text
       uuid = res["data"]["createComment"]["uuid"]
 
-      assert res["data"]["createComment"]["in_reply_to_comment"]["id"] ==
+      assert res["data"]["createComment"]["inReplyToComment"]["id"] ==
                to_string(comment.id)
 
       query = """
@@ -144,7 +164,7 @@ defmodule Mobilizon.GraphQL.Resolvers.CommentTest do
         |> AbsintheHelpers.graphql_query(query: query, variables: %{})
 
       assert res["errors"] == nil
-      assert res["data"]["thread"] == [%{"uuid" => uuid, "text" => @comment.text}]
+      assert res["data"]["thread"] == [%{"uuid" => uuid, "text" => @comment_text}]
     end
 
     @delete_comment """