launchpad-reviewers team mailing list archive

Thread
Date

[Merge] ~pappacena/launchpad:prevent-admins-from-editing-codereview-comment into launchpad:master

To: mp+403146@xxxxxxxxxxxxxxxxxx
From: "Thiago F. Pappacena" <pappacena@xxxxxxxxx>
Date: Fri, 21 May 2021 17:41:24 -0000
Reply-to: mp+403146@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Thiago F. Pappacena has proposed merging ~pappacena/launchpad:prevent-admins-from-editing-codereview-comment into launchpad:master.

Commit message:
Make sure that only owners can edit CodeReviewComment

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~pappacena/launchpad/+git/launchpad/+merge/403146
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of ~pappacena/launchpad:prevent-admins-from-editing-codereview-comment into launchpad:master.

diff --git a/lib/lp/security.py b/lib/lp/security.py
index 1eeca4e..9b1cfa8 100644
--- a/lib/lp/security.py
+++ b/lib/lp/security.py
@@ -2636,6 +2636,15 @@ class CodeReviewCommentView(DelegatedAuthorization):
             obj, obj.branch_merge_proposal)
 
 
+class CodeReviewCommentEdit(AuthorizationBase):
+    permission = 'launchpad.Edit'
+    usedfor = ICodeReviewComment
+
+    def checkAuthenticated(self, user):
+        """Only message owner can edit it."""
+        return user.isOwner(self.obj)
+
+
 class CodeReviewCommentDelete(DelegatedAuthorization):
     permission = 'launchpad.Edit'
     usedfor = ICodeReviewCommentDeletion
diff --git a/lib/lp/services/messages/tests/test_message.py b/lib/lp/services/messages/tests/test_message.py
index c483305..bd4fc12 100644
--- a/lib/lp/services/messages/tests/test_message.py
+++ b/lib/lp/services/messages/tests/test_message.py
@@ -360,9 +360,9 @@ class TestMessageEditingAPI(MessageTypeScenariosMixin, TestCaseWithFactory):
         self.assertIsNone(edited_obj["date_deleted"])
         self.assertIsNotNone(edited_obj["date_last_edited"])
 
-    def test_edit_message_permission_denied_for_non_owner(self):
+    def assertPermissionDeniedEditMessage(self, caller_person):
         msg = self.makeMessage(content="initial content")
-        ws = self.getWebservice(self.factory.makePerson())
+        ws = self.getWebservice(caller_person)
         url = self.getMessageAPIURL(msg)
         response = ws.named_post(
             url, 'editContent', new_content="the new content")
@@ -373,6 +373,13 @@ class TestMessageEditingAPI(MessageTypeScenariosMixin, TestCaseWithFactory):
         self.assertIsNone(edited_obj["date_deleted"])
         self.assertIsNone(edited_obj["date_last_edited"])
 
+    def test_edit_message_permission_denied_for_non_owner(self):
+        self.assertPermissionDeniedEditMessage(self.factory.makePerson())
+
+    def test_edit_message_permission_denied_for_admin(self):
+        self.assertPermissionDeniedEditMessage(
+            self.factory.makeAdministrator())
+
     def test_delete_message(self):
         msg = self.makeMessage(content="initial content")
         ws = self.getWebservice(self.person)

Follow ups

[Merge] ~pappacena/launchpad:prevent-admins-from-editing-codereview-comment into launchpad:master
From: Thiago F. Pappacena, 2021-05-21