From 427861dc1fb7cef488a33e96923faab59b3588a5 Mon Sep 17 00:00:00 2001
From: Luigi Pellecchia <lpellecc@redhat.com>
Date: Tue, 31 Mar 2026 17:03:03 +0200
Subject: [PATCH 1/2] Allow user with read permissions to add comments to work
 items

Signed-off-by: Luigi Pellecchia <lpellecc@redhat.com>
---
 api/api.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/api.py b/api/api.py
index 9f4774d..bbbebab 100644
--- a/api/api.py
+++ b/api/api.py
@@ -2293,7 +2293,7 @@ def get(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterf
         comments = [c.as_dict() for c in query.all()]
         return comments
 
-    @check_api_user_write_permission
+    @check_api_user_read_permission
     def post(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
         request_data = request.get_json(force=True)
 
@@ -2355,7 +2355,7 @@ def post(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInter
 
         return new_comment.as_dict()
 
-    @check_api_user_write_permission
+    @check_api_user_read_permission
     def put(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
         request_data = request.get_json(force=True)
 
@@ -2388,7 +2388,7 @@ def put(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterf
 
         return comment_model.as_dict()
 
-    @check_api_user_write_permission
+    @check_api_user_read_permission
     def delete(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
         request_data = request.get_json(force=True)
 

From f94c70f05f289f71c5127010fd144cd9442eabc8 Mon Sep 17 00:00:00 2001
From: Luigi Pellecchia <lpellecc@redhat.com>
Date: Tue, 31 Mar 2026 17:29:38 +0200
Subject: [PATCH 2/2] Fix comment unit tests to skip unauthorized check

Signed-off-by: Luigi Pellecchia <lpellecc@redhat.com>
---
 api/test/test_comment.py | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/api/test/test_comment.py b/api/test/test_comment.py
index aa9a381..bc3082b 100644
--- a/api/test/test_comment.py
+++ b/api/test/test_comment.py
@@ -139,7 +139,7 @@ def test_login(user_authentication):
     assert user_authentication.status_code == 200
 
 
-@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment', 'parent_table', 'parent_id', 'user-id', 'token'])
+@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment', 'parent_table', 'parent_id'])
 def test_comment_post_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
     """ Post request with bad payload, missing fields """
 
@@ -159,10 +159,7 @@ def test_comment_post_bad_payload(client, user_authentication, api_sr_db, mandat
     mapping_data.pop(mandatory_field)
 
     response = client.post(_MAPPING_COMMENT_URL, json=mapping_data)
-    if mandatory_field in ['user-id', 'token']:
-        assert response.status_code == HTTPStatus.UNAUTHORIZED
-    else:
-        assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.status_code == HTTPStatus.BAD_REQUEST
 
 
 def test_comment_post_put_delete(client, user_authentication, api_sr_db):
@@ -215,7 +212,7 @@ def test_comment_post_put_delete(client, user_authentication, api_sr_db):
 
 
 @pytest.mark.parametrize('mandatory_field',
-                         ['api-id', 'comment_id', 'comment', 'parent_table', 'parent_id', 'user-id', 'token'])
+                         ['api-id', 'comment_id', 'comment', 'parent_table', 'parent_id'])
 def test_comment_put_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
     """ Put request with bad payload, missing fields """
 
@@ -236,13 +233,10 @@ def test_comment_put_bad_payload(client, user_authentication, api_sr_db, mandato
     mapping_data.pop(mandatory_field)
 
     response = client.put(_MAPPING_COMMENT_URL, json=mapping_data)
-    if mandatory_field in ['user-id', 'token']:
-        assert response.status_code == HTTPStatus.UNAUTHORIZED
-    else:
-        assert response.status_code == HTTPStatus.BAD_REQUEST
+    assert response.status_code == HTTPStatus.BAD_REQUEST
 
 
-@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment_id', 'parent_table', 'parent_id', 'user-id', 'token'])
+@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment_id', 'parent_table', 'parent_id'])
 def test_comment_delete_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
     """ Delete request with bad payload, missing fields """
 
@@ -261,8 +255,5 @@ def test_comment_delete_bad_payload(client, user_authentication, api_sr_db, mand
     # Generate bad payload removing a mandatory field
     mapping_data.pop(mandatory_field)
 
-    response = client.put(_MAPPING_COMMENT_URL, json=mapping_data)
-    if mandatory_field in ['user-id', 'token']:
-        assert response.status_code == HTTPStatus.UNAUTHORIZED
-    else:
-        assert response.status_code == HTTPStatus.BAD_REQUEST
+    response = client.delete(_MAPPING_COMMENT_URL, json=mapping_data)
+    assert response.status_code == HTTPStatus.BAD_REQUEST