Allow editing and deletion of comments to be disabled

This commit adds a configuration option which must be set in order to enable users to edit their comments, and enable superusers to delete comments. The option, `enable_editable_comments`, is False by default, meaning that the editing and deletion functionality must be opted into. If it is False, then only a database admin can delete or edit comments, by modifying the database directly. Change-Id: Iabf598eae3aa35e4e53aadfe514fb2b0da37cefc
2016-07-06 10:12:19 +00:00 · 2016-07-06 10:12:19 +00:00 · 7d8e59a81e
commit 7d8e59a81e
parent 0cc7a72f39
4 changed files with 16 additions and 6 deletions
--- a/etc/storyboard.conf.sample
+++ b/etc/storyboard.conf.sample
@ -41,6 +41,10 @@ lock_path = $state_path/lock
 # and subscriptions.
 # enable_notifications = True

+# Enable editing/deletion of comments. When enabled, users can edit their own
+# comments and admins can delete comments.
+# enable_editable_comments = True
+
 [oauth]
 # StoryBoard's oauth configuration.

--- a/storyboard/api/app.py
+++ b/storyboard/api/app.py
@ -52,7 +52,10 @@ API_OPTS = [
               help='API port'),
    cfg.BoolOpt('enable_notifications',
               default=False,
-               help='Enable Notifications')
+               help='Enable Notifications'),
+    cfg.BoolOpt('enable_editable_comments',
+               default=False,
+               help='Enable editing and deletion of comments')
 ]
 CORS_OPTS = [
    cfg.ListOpt('allowed_origins',
--- a/storyboard/api/v1/timeline.py
+++ b/storyboard/api/v1/timeline.py
@ -246,6 +246,9 @@ class CommentsController(rest.RestController):
        :param comment_id: The id of a Comment to be updated.
        :param comment_body: An updated Comment.
        """
+        if not CONF.enable_editable_comments:
+            abort(405, _("Editing of comments is disabled "
+                         "by the server administrator."))

        comments_api.comment_get(comment_id)
        comment_author_id = events_api.events_get_all(
@ -269,6 +272,9 @@ class CommentsController(rest.RestController):
        :param story_id: A placeholder.
        :param comment_id: The id of a Comment to be updated.
        """
+        if not CONF.enable_editable_comments:
+            abort(405, _("Deletion of comments is disabled "
+                         "by the server administrator."))

        comments_api.comment_delete(comment_id)

--- a/storyboard/tests/api/test_comments.py
+++ b/storyboard/tests/api/test_comments.py
@ -61,9 +61,6 @@ class TestComments(base.FunctionalTest):
        update_url = self.comments_resource % self.story_id + \
            "/%d" % original_id

-        updated = self.put_json(update_url, delta)
+        response = self.put_json(update_url, delta, expect_errors=True)

-        original_content = self.comment_01['content']
-        updated_content = updated.json['content']
-
-        self.assertNotEqual(original_content, updated_content)
+        self.assertEqual(405, response.status_code)