fix access for deleting comments + other access troube

tracim/fixtures/content.py

         bob = self._session.query(models.User) \
             .filter(models.User.email == 'bob@fsf.local') \
             .one()
+        john_the_reader = self._session.query(models.User) \
+            .filter(models.User.email == 'john-the-reader@reader.local') \
+            .one()
+
         admin_workspace_api = WorkspaceApi(
             current_user=admin,
             session=self._session,
             session=self._session,
             config=self._config
         )
+        reader_content_api = ContentApi(
+            current_user=john_the_reader,
+            session=self._session,
+            config=self._config
+        )
         role_api = RoleApi(
             current_user=admin,
             session=self._session,
             role_level=UserRoleInWorkspace.CONTENT_MANAGER,
             with_notif=False,
         )
+        role_api.create_one(
+            user=john_the_reader,
+            workspace=recipe_workspace,
+            role_level=UserRoleInWorkspace.READER,
+            with_notif=False,
+        )
         # Folders
 
         tool_workspace = content_api.create(
             content='<p>What about Apple Pie ? There are Awesome !</p>',
             do_save=True,
         )
-        content_api.create_comment(
+        reader_content_api.create_comment(
             parent=best_cake_thread,
             content='<p>You are right, but Kouign-amann are clearly better.</p>',
             do_save=True,

tracim/fixtures/users_and_groups.py

         bob.password = 'foobarbaz'
         self._session.add(bob)
         g2.users.append(bob)
+
+        g2 = self._session.query(models.Group).\
+            filter(models.Group.group_name == 'users').one()
+        lawrence = models.User()
+        lawrence.display_name = 'John Reader'
+        lawrence.email = 'john-the-reader@reader.local'
+        lawrence.password = 'read'
+        self._session.add(lawrence)
+        g2.users.append(lawrence)

tracim/lib/utils/authorization.py

             raise ContentTypeNotAllowed()
         return wrapper
     return decorator
+
+
+def require_comment_ownership_or_role(
+        minimal_required_role_for_owner: int,
+        minimal_required_role_for_anyone: int,
+) -> None:
+    """
+    Decorator for view to restrict access of tracim request if role is
+    not high enough and user is not owner of the current_content
+    :param minimal_required_role_for_owner_access: minimal role for owner
+    of current_content to access to this view
+    :param minimal_required_role_for_anyone: minimal role for anyone to
+    access to this view.
+    :return:
+    """
+    def decorator(func):
+        @functools.wraps(func)
+        def wrapper(self, context, request: 'TracimRequest'):
+            user = request.current_user
+            workspace = request.current_workspace
+            comment = request.current_comment
+            # INFO - G.M - 2018-06-178 - find minimal role required
+            if comment.owner.user_id == user.user_id:
+                minimal_required_role = minimal_required_role_for_owner
+            else:
+                minimal_required_role = minimal_required_role_for_anyone
+            # INFO - G.M - 2018-06-178 - normal role test
+            if workspace.get_user_role(user) >= minimal_required_role:
+                return func(self, context, request)
+            raise InsufficientUserWorkspaceRole()
+        return wrapper
+    return decorator

tracim/lib/utils/request.py

             decode_param_names,
             **kw
         )
+        # Current comment, found in request path
+        self._current_comment = None  # type: Content
+
         # Current content, found in request path
         self._current_content = None  # type: Content
 
             )
         self._current_content = content
 
+    @property
+    def current_comment(self) -> User:
+        """
+        Get current comment from path
+        """
+        if self._current_comment is None:
+            self._current_comment = self._get_current_comment(
+                self.current_user,
+                self.current_workspace,
+                self.current_content,
+                self
+                )
+        return self._current_comment
+
+    @current_comment.setter
+    def current_comment(self, content: Content) -> None:
+        if self._current_comment is not None:
+            raise ImmutableAttribute(
+                "Can't modify already setted current_content"
+            )
+        self._current_comment = content
     # TODO - G.M - 24-05-2018 - Find a better naming for this ?
     @property
     def candidate_user(self) -> User:
     ###
     # Utils for TracimRequest
     ###
+    def _get_current_comment(
+            self,
+            user: User,
+            workspace: Workspace,
+            content: Content,
+            request: 'TracimRequest'
+    ):
+        """
+        Get current content from request
+        :param user: User who want to check the workspace
+        :param request: pyramid request
+        :return: current content
+        """
+        comment_id = ''
+        try:
+            if 'comment_id' in request.matchdict:
+                comment_id = int(request.matchdict['comment_id'])
+            if not comment_id:
+                raise ContentNotFoundInTracimRequest('No comment_id property found in request')  # nopep8
+            api = ContentApi(
+                current_user=user,
+                session=request.dbsession,
+                config=request.registry.settings['CFG']
+            )
+            comment = api.get_one(
+                comment_id,
+                content_type=ContentType.Comment,
+                workspace=workspace,
+                parent=content,
+            )
+        except JSONDecodeError:
+            raise ContentNotFound('Bad json body')
+        except NoResultFound:
+            raise ContentNotFound(
+                'Comment {} does not exist '
+                'or is not visible for this user'.format(comment_id)
+            )
+        return comment
 
     def _get_current_content(
             self,

tracim/tests/functional/test_comments.py

         assert comment['parent_id'] == 7
         assert comment['raw_content'] == '<p>You are right, but Kouign-amann are clearly better.</p>'  # nopep8
         assert comment['author']
-        assert comment['author']['user_id'] == 1
+        assert comment['author']['user_id'] == 4
         # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
         assert comment['author']['avatar_url'] == None
-        assert comment['author']['public_name'] == 'Global manager'
+        assert comment['author']['public_name'] == 'John Reader'
 
     def test_api__post_content_comment__ok_200__nominal_case(self) -> None:
         """
         assert len(res.json_body) == 4
         assert comment == res.json_body[3]
 
-    def test_api__delete_content_comment__ok_200__nominal_case(self) -> None:
+    def test_api__delete_content_comment__ok_200__workspace_manager_owner(self) -> None:
         """
-        Get alls comments of a content
+        delete comment (user is workspace_manager and owner)
         """
         self.testapp.authorization = (
             'Basic',
         )
         res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
         assert len(res.json_body) == 3
-        comment = res.json_body[2]
-        assert comment['content_id'] == 20
+        comment = res.json_body[0]
+        assert comment['content_id'] == 18
         assert comment['parent_id'] == 7
-        assert comment['raw_content'] == '<p>You are right, but Kouign-amann are clearly better.</p>'   # nopep8
+        assert comment['raw_content'] == '<p> What is for you the best cake ever ? </br> I personnally vote for Chocolate cupcake !</p>'   # nopep8
         assert comment['author']
         assert comment['author']['user_id'] == 1
         # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
         assert comment['author']['public_name'] == 'Global manager'
 
         res = self.testapp.delete(
-            '/api/v2/workspaces/2/contents/7/comments/20',
+            '/api/v2/workspaces/2/contents/7/comments/18',
+            status=204
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 2
+        assert not [content for content in res.json_body if content['content_id'] == 18]  # nopep8
+
+    def test_api__delete_content_comment__ok_200__workspace_manager(self) -> None:
+        """
+        delete comment (user is workspace_manager)
+        """
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'admin@admin.admin',
+                'admin@admin.admin'
+            )
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 3
+        comment = res.json_body[1]
+        assert comment['content_id'] == 19
+        assert comment['parent_id'] == 7
+        assert comment['raw_content'] == '<p>What about Apple Pie ? There are Awesome !</p>'   # nopep8
+        assert comment['author']
+        assert comment['author']['user_id'] == 3
+        # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
+        assert comment['author']['avatar_url'] is None
+        assert comment['author']['public_name'] == 'Bob i.'
+
+        res = self.testapp.delete(
+            '/api/v2/workspaces/2/contents/7/comments/19',
             status=204
         )
         res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
         assert len(res.json_body) == 2
-        assert not [content for content in res.json_body if content['content_id'] == 20]  # nopep8
+        assert not [content for content in res.json_body if content['content_id'] == 19]  # nopep8
+
+    def test_api__delete_content_comment__ok_200__content_manager_owner(self) -> None:
+        """
+        delete comment (user is content-manager and owner)
+        """
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'admin@admin.admin',
+                'admin@admin.admin'
+            )
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 3
+        comment = res.json_body[1]
+        assert comment['content_id'] == 19
+        assert comment['parent_id'] == 7
+        assert comment['raw_content'] == '<p>What about Apple Pie ? There are Awesome !</p>'   # nopep8
+        assert comment['author']
+        assert comment['author']['user_id'] == 3
+        # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
+        assert comment['author']['avatar_url'] is None
+        assert comment['author']['public_name'] == 'Bob i.'
+
+        res = self.testapp.delete(
+            '/api/v2/workspaces/2/contents/7/comments/19',
+            status=204
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 2
+        assert not [content for content in res.json_body if content['content_id'] == 19]  # nopep8
+
+    def test_api__delete_content_comment__err_403__content_manager(self) -> None:
+        """
+        delete comment (user is content-manager)
+        """
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'bob@fsf.local',
+                'foobarbaz'
+            )
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 3
+        comment = res.json_body[2]
+        assert comment['content_id'] == 20
+        assert comment['parent_id'] == 7
+        assert comment['raw_content'] == '<p>You are right, but Kouign-amann are clearly better.</p>'   # nopep8
+        assert comment['author']
+        assert comment['author']['user_id'] == 4
+        # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
+        assert comment['author']['avatar_url'] is None
+        assert comment['author']['public_name'] == 'John Reader'
+
+        res = self.testapp.delete(
+            '/api/v2/workspaces/2/contents/7/comments/20',
+            status=403
+        )
+
+    def test_api__delete_content_comment__err_403__reader_owner(self) -> None:
+        """
+        delete comment (user is reader and owner)
+        """
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'bob@fsf.local',
+                'foobarbaz'
+            )
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 3
+        comment = res.json_body[2]
+        assert comment['content_id'] == 20
+        assert comment['parent_id'] == 7
+        assert comment['raw_content'] == '<p>You are right, but Kouign-amann are clearly better.</p>'   # nopep8
+        assert comment['author']
+        assert comment['author']['user_id'] == 4
+        # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
+        assert comment['author']['avatar_url'] is None
+        assert comment['author']['public_name'] == 'John Reader'
+
+        res = self.testapp.delete(
+            '/api/v2/workspaces/2/contents/7/comments/20',
+            status=403
+        )
+
+    def test_api__delete_content_comment__err_403__reader(self) -> None:
+        """
+        delete comment (user is reader)
+        """
+        self.testapp.authorization = (
+            'Basic',
+            (
+                'bob@fsf.local',
+                'foobarbaz'
+            )
+        )
+        res = self.testapp.get('/api/v2/workspaces/2/contents/7/comments', status=200)
+        assert len(res.json_body) == 3
+        comment = res.json_body[2]
+        assert comment['content_id'] == 20
+        assert comment['parent_id'] == 7
+        assert comment['raw_content'] == '<p>You are right, but Kouign-amann are clearly better.</p>'   # nopep8
+        assert comment['author']
+        assert comment['author']['user_id'] == 4
+        # TODO - G.M - 2018-06-172 - [avatar] setup avatar url
+        assert comment['author']['avatar_url'] is None
+        assert comment['author']['public_name'] == 'John Reader'
+
+        res = self.testapp.delete(
+            '/api/v2/workspaces/2/contents/7/comments/20',
+            status=403
+        )

tracim/views/contents_api/comment_controller.py

 # coding=utf-8
 import transaction
 from pyramid.config import Configurator
+
 try:  # Python 3.5+
     from http import HTTPStatus
 except ImportError:
 from tracim.extensions import hapic
 from tracim.lib.core.content import ContentApi
 from tracim.lib.core.workspace import WorkspaceApi
+from tracim.lib.utils.authorization import require_workspace_role
+from tracim.lib.utils.authorization import require_comment_ownership_or_role
 from tracim.views.controllers import Controller
 from tracim.views.core_api.schemas import CommentSchema
 from tracim.views.core_api.schemas import CommentsPathSchema
 from tracim.views.core_api.schemas import WorkspaceAndContentIdPathSchema
 from tracim.views.core_api.schemas import NoContentSchema
 from tracim.exceptions import WorkspaceNotFound
-from tracim.exceptions import InsufficientUserProfile
+from tracim.exceptions import InsufficientUserWorkspaceRole
 from tracim.exceptions import NotAuthenticated
 from tracim.exceptions import AuthenticationFailed
 from tracim.models.contents import ContentTypeLegacy as ContentType
 from tracim.models.revision_protection import new_revision
+from tracim.models.data import UserRoleInWorkspace
 
 COMMENT_ENDPOINTS_TAG = 'Comments'
 
 
 class CommentController(Controller):
-    pass
 
     @hapic.with_api_doc(tags=[COMMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
+    @require_workspace_role(UserRoleInWorkspace.READER)
     @hapic.input_path(WorkspaceAndContentIdPathSchema())
     @hapic.output_body(CommentSchema(many=True),)
     def content_comments(self, context, request: TracimRequest, hapic_data=None):
 
     @hapic.with_api_doc(tags=[COMMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
+    @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)
     @hapic.input_path(WorkspaceAndContentIdPathSchema())
     @hapic.input_body(SetCommentSchema())
     @hapic.output_body(CommentSchema(),)
 
     @hapic.with_api_doc(tags=[COMMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
+    @require_comment_ownership_or_role(
+        minimal_required_role_for_anyone=UserRoleInWorkspace.WORKSPACE_MANAGER,
+        minimal_required_role_for_owner=UserRoleInWorkspace.CONTRIBUTOR,
+    )
     @hapic.input_path(CommentsPathSchema())
     @hapic.output_body(NoContentSchema(), default_http_code=HTTPStatus.NO_CONTENT)  # nopep8
     def delete_comment(self, context, request: TracimRequest, hapic_data=None):

tracim/views/contents_api/html_document_controller.py

 from tracim.lib.utils.authorization import require_content_types
 from tracim.lib.utils.authorization import require_workspace_role
 from tracim.exceptions import WorkspaceNotFound, ContentTypeNotAllowed
-from tracim.exceptions import InsufficientUserProfile
+from tracim.exceptions import InsufficientUserWorkspaceRole
 from tracim.exceptions import NotAuthenticated
 from tracim.exceptions import AuthenticationFailed
 from tracim.models.contents import ContentTypeLegacy as ContentType
 
     @hapic.with_api_doc(tags=[HTML_DOCUMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @hapic.handle_exception(ContentTypeNotAllowed, HTTPStatus.BAD_REQUEST)
 
     @hapic.with_api_doc(tags=[HTML_DOCUMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)
 
     @hapic.with_api_doc(tags=[HTML_DOCUMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.READER)
 
     @hapic.with_api_doc(tags=[HTML_DOCUMENT_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)

tracim/views/contents_api/threads_controller.py

 from tracim.lib.utils.authorization import require_content_types
 from tracim.lib.utils.authorization import require_workspace_role
 from tracim.exceptions import WorkspaceNotFound, ContentTypeNotAllowed
-from tracim.exceptions import InsufficientUserProfile
+from tracim.exceptions import InsufficientUserWorkspaceRole
 from tracim.exceptions import NotAuthenticated
 from tracim.exceptions import AuthenticationFailed
 from tracim.models.contents import ContentTypeLegacy as ContentType
 
     @hapic.with_api_doc(tags=[THREAD_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @hapic.handle_exception(ContentTypeNotAllowed, HTTPStatus.BAD_REQUEST)
 
     @hapic.with_api_doc(tags=[THREAD_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)
 
     @hapic.with_api_doc(tags=[THREAD_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.READER)
 
     @hapic.with_api_doc(tags=[THREAD_ENDPOINTS_TAG])
     @hapic.handle_exception(NotAuthenticated, HTTPStatus.UNAUTHORIZED)
-    @hapic.handle_exception(InsufficientUserProfile, HTTPStatus.FORBIDDEN)
+    @hapic.handle_exception(InsufficientUserWorkspaceRole, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(WorkspaceNotFound, HTTPStatus.FORBIDDEN)
     @hapic.handle_exception(AuthenticationFailed, HTTPStatus.BAD_REQUEST)
     @require_workspace_role(UserRoleInWorkspace.CONTRIBUTOR)