Skip to content

Allow user with read permissions to add comments to work items #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pellecchialuigi merged 2 commits into from
Apr 1, 2026
Merged

Allow user with read permissions to add comments to work items #264

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
427861d
Allow user with read permissions to add comments to work items
Mar 31, 2026
f94c70f
Fix comment unit tests to skip unauthorized check
Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions api/api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2293,7 +2293,7 @@ def get(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterf
comments = [c.as_dict() for c in query.all()]
return comments

@check_api_user_write_permission
@check_api_user_read_permission
def post(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
request_data = request.get_json(force=True)

Expand Down Expand Up @@ -2355,7 +2355,7 @@ def post(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInter

return new_comment.as_dict()

@check_api_user_write_permission
@check_api_user_read_permission
def put(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
request_data = request.get_json(force=True)

Expand Down Expand Up @@ -2388,7 +2388,7 @@ def put(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterf

return comment_model.as_dict()

@check_api_user_write_permission
@check_api_user_read_permission
def delete(self, api: ApiModel = None, user: UserModel = None, dbi: db_orm.DbInterface = None):
request_data = request.get_json(force=True)

Expand Down
23 changes: 7 additions & 16 deletions api/test/test_comment.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ def test_login(user_authentication):
assert user_authentication.status_code == 200


@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment', 'parent_table', 'parent_id', 'user-id', 'token'])
@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment', 'parent_table', 'parent_id'])
def test_comment_post_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
""" Post request with bad payload, missing fields """

Expand All @@ -159,10 +159,7 @@ def test_comment_post_bad_payload(client, user_authentication, api_sr_db, mandat
mapping_data.pop(mandatory_field)

response = client.post(_MAPPING_COMMENT_URL, json=mapping_data)
if mandatory_field in ['user-id', 'token']:
assert response.status_code == HTTPStatus.UNAUTHORIZED
else:
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.status_code == HTTPStatus.BAD_REQUEST


def test_comment_post_put_delete(client, user_authentication, api_sr_db):
Expand Down Expand Up @@ -215,7 +212,7 @@ def test_comment_post_put_delete(client, user_authentication, api_sr_db):


@pytest.mark.parametrize('mandatory_field',
['api-id', 'comment_id', 'comment', 'parent_table', 'parent_id', 'user-id', 'token'])
['api-id', 'comment_id', 'comment', 'parent_table', 'parent_id'])
def test_comment_put_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
""" Put request with bad payload, missing fields """

Expand All @@ -236,13 +233,10 @@ def test_comment_put_bad_payload(client, user_authentication, api_sr_db, mandato
mapping_data.pop(mandatory_field)

response = client.put(_MAPPING_COMMENT_URL, json=mapping_data)
if mandatory_field in ['user-id', 'token']:
assert response.status_code == HTTPStatus.UNAUTHORIZED
else:
assert response.status_code == HTTPStatus.BAD_REQUEST
assert response.status_code == HTTPStatus.BAD_REQUEST


@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment_id', 'parent_table', 'parent_id', 'user-id', 'token'])
@pytest.mark.parametrize('mandatory_field', ['api-id', 'comment_id', 'parent_table', 'parent_id'])
def test_comment_delete_bad_payload(client, user_authentication, api_sr_db, mandatory_field):
""" Delete request with bad payload, missing fields """

Expand All @@ -261,8 +255,5 @@ def test_comment_delete_bad_payload(client, user_authentication, api_sr_db, mand
# Generate bad payload removing a mandatory field
mapping_data.pop(mandatory_field)

response = client.put(_MAPPING_COMMENT_URL, json=mapping_data)
if mandatory_field in ['user-id', 'token']:
assert response.status_code == HTTPStatus.UNAUTHORIZED
else:
assert response.status_code == HTTPStatus.BAD_REQUEST
response = client.delete(_MAPPING_COMMENT_URL, json=mapping_data)
assert response.status_code == HTTPStatus.BAD_REQUEST
Loading