Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XWIKI-21730: Delete own comments should not require edit rights on page #2836

Draft
wants to merge 13 commits into
base: master
Choose a base branch
from

Conversation

Sereza7
Copy link
Contributor

@Sereza7 Sereza7 commented Feb 1, 2024

Jira URL

https://jira.xwiki.org/browse/XWIKI-21730

Changes

Description

  • Changed the permission needed for the delete comment action to be displayed

Clarifications

  • The code responsible for allowing or not to delete the comment was introduced in version 3.0-rc1 (see the commit), and apparently it was not a use case considered by those changes. So I don't see an issue with tying the comment deletion action to the comment right instead of the edit right.
  • The template for generating these action buttons is a bit of a mess. I considered for a moment changing the order of the buttons to make it cleaner. However after considering stakes, I realized the UI inconsistency between versions would be worst for users than the small code quality/optimization we would have gotten.

Screenshots & Video

In order to test those changes, I registered as a regular user (named '123456'). With the admin user, I changed regular user rights at the wiki level: removed the Edit right and kept the Comment right.
We can see that the delete button only appears after the changes in this PR. This is the behavior expected by the reporter of this ticket.
Before PR:
21730-beforePR
After PR:
21730-afterPR

Executed Tests

None, this change only changes the presence of the button in specific right configurations (No edit right but comment right, different from the default Edit+comment rights). I could only see one reference to this in a pageobject. This function is used only once with regular logged in user rights (in here).
Manual tests were conducted successfully, see the screenshots above.

Expected merging strategy

  • Prefers squash: Yes
  • Backport on branches:
    • 15.10.X - minor change with very low risk

* Changed the permission needed for the delete comment action to be displayed
@Sereza7 Sereza7 added the backport stable-15.10.x Used for automatic backport to 15.10.x branch. label Feb 1, 2024
@@ -184,7 +184,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
<a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
#if ($hasAdmin || ($hasEdit && $isUserComment))
#if ($hasAdmin || ($xwiki.hasAccessLevel('comment') && $isUserComment))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be consistent I would reuse the same condition than the one used for editing a comment, which is right now #if($hasAdmin || $isUserComment) (see line 180).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in f536a96 and f943ae6 . 👍

This selector was a bit more restrictive, actually checking for the comment right. Now, any user can delete their comments even if they don't have any right on a page.

@Sereza7 Sereza7 marked this pull request as draft February 2, 2024 09:10
Sereza7 and others added 2 commits February 7, 2024 14:41
* Added backend support for deletion of comments. This new action is very similar to regular object removal (which was the action used before), but is based on the Comment right instead of the Edit right.

See this demo: https://youtu.be/LwnLWfZFYZw
@Sereza7
Copy link
Contributor Author

Sereza7 commented Feb 7, 2024

Added backend support for deletion of comments. This new action is very similar to regular object removal (which was the action used before), but is based on the Comment right instead of the Edit right.

Changes are mostly contained in the oldcore module, because that's where all the backend logic for actions used in those buttons was already contained.

See a demo of this updated action.
This demo worked with just creating two symlinks on the updated jars for xwiki-oldcore and xwiki-security-authorization-bridge , and updating the commentsinline.vm template.

@Sereza7 Sereza7 marked this pull request as ready for review February 7, 2024 14:14
@@ -184,7 +184,7 @@ $xwiki.ssfx.use('uicomponents/viewers/comments.css', true)
<a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
#if ($hasAdmin || ($hasEdit && $isUserComment))
#if ($hasAdmin || $isUserComment)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about introducing a new variable to use in both if for edit and delete? That way we ensure that we'll keep them consistent.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in 9f841ae 👍

* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package com.xpn.xwiki.web;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm normally we shouldn't introduce new stuff in this package, we should instead put stuff in org.xwiki... package, even in oldcore... Now it would make this class far from the other actions, so I'm not sure here...

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • We need a new action for the map in XWikiCachingRightService. This means that we cannot just reuse another action.
  • All actions are already here.
  • The code I used in this class is very similar to ObjectRemoveAction. It's mostly oldcore quality code. It'd probably need even more quality improvements to be anywhere else and I don't think it's worth spending that much time on rewriting it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's worth spending that much time on rewriting it.

Note that I was only talking about moving that class to another package. Now if it's using some package private stuff it's making this more complex indeed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly it does not make much sense to have CommentAddAction here and CommentDeleteAction elsewhere so +1 to keep it here.

try {
response.getWriter().write("failed");
response.setContentLength(6);
} catch (IOException e) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing to handle the exception?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that most parts are the same as ObjectRemoveAction. This empty exception handle has been in this other file since 2008 so it seems like it's not a huge problem.
This is bad quality I agree.
I added a log similar to what was done in XWikiAction.java

LOGGER.error("Failed to send error response to AJAX save and continue request.", e);

Addressed in 767daac 👍

response.setContentType("text/plain");
try {
response.getWriter().write("failed");
response.setContentLength(6);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm really not a fan of this piece of code: at the very least "failed" should be in a String variable and you should eruse it also for the length. Now I'm not sure why you just answer "failed"?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this part is pretty much the same as ObjectRemoveAction.
I updated it and also changed ObjectRemoveAction to match these changes.

See 6edbec1 👍

String changeComment = localizePlainOrReturnKey("core.comment.deleteComment");

// Make sure the user is allowed to make this modification
context.getWiki().checkSavingDocument(userReference, doc, changeComment, true, context);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And this check is working if you don't have edit right on the doc?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From what I can understand of this code I reused from ObjectRemoveAction, this does not check the rights of the current user but the state of the document (whether it's in a saveable state or not). I'm retesting things manually to make sure everything is alright.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, I finally figured it out. The authorisation to do this action is handled at the level of XWikiCachingRightService. This is also the reason why we need an independant action even thought it's pretty much the same as object deletion. From what I understand, one action can only be mapped to one right. Setting the other object editions to depend on the Comment right is wrong, we need to separate this into two actions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm this. I forgot to put the security .jar on my local instance and the action wouldn't go through (with edit rights disabled but comment rights enabled). Updating it as expected fixed the backend permission issue.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm retesting things manually to make sure everything is alright.

Except for an oldcore exception that's unrelated to this PR, builds are okay.

@Component
@Named("commentdelete")
@Singleton
public class CommentDeleteAction extends XWikiAction
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A test class should be provided too.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a test for this class.

For both the test and the new Java class, I made sure to reformat the code with XWiki standard on Intellij Idea
I successfully passed mvn clean install -f xwiki-platform-core/xwiki-platform-oldcore -Pquality. All that was reported by SonarLint on both of the files are the @MockComponent that are not used in the class , which is a false positive. They are needed for our test class to work properly.

Added the test class in 1579ded 👍

@Sereza7 Sereza7 marked this pull request as draft February 12, 2024 10:56
@Sereza7 Sereza7 marked this pull request as ready for review December 23, 2024 15:36
@Sereza7
Copy link
Contributor Author

Sereza7 commented Dec 23, 2024

This PR is ready for further reviewing.

@Sereza7 Sereza7 requested a review from surli December 23, 2024 15:38
@Sereza7 Sereza7 added backport stable-16.10.x and removed backport stable-15.10.x Used for automatic backport to 15.10.x branch. labels Jan 3, 2025
<a class="edit btn btn-default btn-xs" rel="nofollow" href="$doc.getURL('view', "viewer=comments&amp;number=${comment.number}&amp;xredirect=$doc.getURL('view')")" title="$services.localization.render('core.viewers.comments.edit')">$services.icon.renderHTML('pencil')</a>
#end
#end
<a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
#if ($hasAdmin || ($hasEdit && $isUserComment))
#if ($hasCommentEditionRight)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm I'm not so sure about that change... Yeah I know I commented to have consistency in an early review :)
Have you tested if it actually works to edit a comment for a page in which the comment user doesn't have edit right?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2025-01-22.10-27-29.mp4

I'm not sure why this wouldn't work anymore. The boolean logic is the same as it was before isn't it?
$hasCommentEditionRight is always set/updated a few lines above and takes the current context values for rights.

* @version $Id$
* @since 17.0.0RC1
*/
@ComponentList
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm wrong annotation I think: this one takes as values a list of component. I guess you wanted to use @ComponentTest?

Copy link
Member

@tmortagne tmortagne Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that you should not use @ComponentTest either since you have @OldcoreTest (it's one or the other).

<a class="edit btn btn-default btn-xs" rel="nofollow" href="$doc.getURL('view', "viewer=comments&amp;number=${comment.number}&amp;xredirect=$doc.getURL('view')")" title="$services.localization.render('core.viewers.comments.edit')">$services.icon.renderHTML('pencil')</a>
#end
#end
<a class="permalink btn btn-default btn-xs" data-toggle="modal" data-target="#permalinkModal" rel="nofollow"
href="$doc.getURL('view', 'viewer=comments')#xwikicomment_${comment.number}"
title="$services.localization.render('core.viewers.comments.permalink')">$services.icon.renderHTML('link')</a>
#if ($hasAdmin || ($hasEdit && $isUserComment))
#if ($hasCommentEditionRight)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the indentation change on purpose ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a mistake. We don't indent for the div a few lines above, this is probably what threw me off here. The #end tag is not intended, I removed this indentation change in c0db94e 👍

{
private static final String FAIL_MESSAGE = "failed";

private static final Logger LOGGER = LoggerFactory.getLogger(CommentDeleteAction.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a component, so you can inject a Logger (you find this kind of stuff in other actions because they used to not be components, but for new code let's do things by the book).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay! Thanks for the clarification :)

I updated it in a71eee7 👍

@@ -41,6 +43,8 @@
@Singleton
public class ObjectRemoveAction extends XWikiAction
{
private static final String FAIL_MESSAGE = "failed";
private static final Logger LOGGER = LoggerFactory.getLogger(ObjectRemoveAction.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above about injected Loggers.

*/
@ComponentList
@ReferenceComponentList
@OldcoreTest(mockXWiki = false)
Copy link
Member

@tmortagne tmortagne Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mockXWiki = false sounds a bit strange, this was basically introduced for tests of XWiki, but tests not really testing XWiki itself generally don't want to do that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay! Removed it in a71eee7 👍

* @since 17.0.0RC1
*/
@Component
@Named("commentdelete")
Copy link
Member

@tmortagne tmortagne Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing critical but commentremove would feel more consistent with objectremove, especially since it's reusing ObjectRemoveForm.

Copy link
Contributor Author

@Sereza7 Sereza7 Jan 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the action name in a71eee7 👍

@Component
@Named("commentdelete")
@Singleton
public class CommentDeleteAction extends XWikiAction
Copy link
Member

@tmortagne tmortagne Jan 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might worth moving most of this class in some AbstractObjectRemoveAction that would also be extended by ObjectRemoveAction (to me it seems the main different is that CommentRemoveAction would indicate a hardcoded class to AbstractObjectRemoveAction instead of using the one provided by ObjectRemoveForm).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tmortagne I tried factorize this code by moving it to an abstract class like you recommended. However, I hit the revapi fail:

[ERROR] Failed to execute goal org.revapi:revapi-maven-plugin:0.15.0:check (revapi-check) on project xwiki-platform-legacy-oldcore: The following API problems caused the build to fail:
[ERROR] java.class.nonFinalClassInheritsFromNewClass: class com.xpn.xwiki.web.ObjectRemoveAction: Non-final class now inherits from 'com.xpn.xwiki.web.AbstractObjectRemoveAction'. https://revapi.org/revapi-java/differences.html#java.class.nonFinalClassInheritsFromNewClass

AFAIU, there was nothing final in this class, so everything is fine. Do you know how we should ignore this warning or find an alternative solution to avoid triggering it?
For now I just added a revapi.skip in the legacy POM, but it's just a temporary solution to be able to build and test locally.

ScriptContext.ENGINE_SCOPE);
} else {
// Comment class reference
DocumentReference commentClass = new DocumentReference(context.getWikiId(), XWiki.SYSTEM_SPACE,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need to create a DocumentReference ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we shouldn't use doc,getObject anymore, it's deprecated. AFAIR, getXObject only accepts reference parameters and not Strings.

ObjectRemoveForm form = (ObjectRemoveForm) context.getForm();
BaseObject obj = null;

String className = form.getClassName();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Manipulating the class name does not make sense for this action, since it's always about comments (or only to return an error if someone tried to be clever and use this action to delete another type of xobject with just comment right).

* Removed incorrect annotation
* Updated indentation
* Factorized code
* Injected logger instead of using a factory.
* Updated the action name.
@Sereza7
Copy link
Contributor Author

Sereza7 commented Jan 22, 2025

WIP, still need to handle the className differently in both.

@Sereza7 Sereza7 marked this pull request as draft January 22, 2025 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants