XWIKI-21730: Delete own comments should not require edit rights on page

[Sereza7]

Jira URL

https://jira.xwiki.org/browse/XWIKI-21730

Changes

Description

• Changed the permission needed for the delete comment action to be displayed

Clarifications

• The code responsible for allowing or not to delete the comment was introduced in version 3.0-rc1 (see the commit), and apparently it was not a use case considered by those changes. So I don't see an issue with tying the comment deletion action to the comment right instead of the edit right.
• The template for generating these action buttons is a bit of a mess. I considered for a moment changing the order of the buttons to make it cleaner. However after considering stakes, I realized the UI inconsistency between versions would be worst for users than the small code quality/optimization we would have gotten.

Screenshots & Video

In order to test those changes, I registered as a regular user (named '123456'). With the admin user, I changed regular user rights at the wiki level: removed the Edit right and kept the Comment right.
We can see that the delete button only appears after the changes in this PR. This is the behavior expected by the reporter of this ticket.
Before PR:

After PR:

Executed Tests

None, this change only changes the presence of the button in specific right configurations (No edit right but comment right, different from the default Edit+comment rights). I could only see one reference to this in a pageobject. This function is used only once with regular logged in user rights (in here).
Manual tests were conducted successfully, see the screenshots above.

Expected merging strategy

• Prefers squash: Yes
• Backport on branches:
  • 15.10.X - minor change with very low risk

[surli]

To be consistent I would reuse the same condition than the one used for editing a comment, which is right now #if($hasAdmin || $isUserComment) (see line 180).

[Sereza7]

Addressed in f536a96 and f943ae6 . 👍

This selector was a bit more restrictive, actually checking for the comment right. Now, any user can delete their comments even if they don't have any right on a page.

[Sereza7]

Added backend support for deletion of comments. This new action is very similar to regular object removal (which was the action used before), but is based on the Comment right instead of the Edit right.

Changes are mostly contained in the oldcore module, because that's where all the backend logic for actions used in those buttons was already contained.

See a demo of this updated action.
This demo worked with just creating two symlinks on the updated jars for xwiki-oldcore and xwiki-security-authorization-bridge , and updating the commentsinline.vm template.

[surli]

What about introducing a new variable to use in both if for edit and delete? That way we ensure that we'll keep them consistent.

[Sereza7]

Done in 9f841ae 👍

[surli]

Hmmm normally we shouldn't introduce new stuff in this package, we should instead put stuff in org.xwiki... package, even in oldcore... Now it would make this class far from the other actions, so I'm not sure here...

[Sereza7]

• We need a new action for the map in XWikiCachingRightService. This means that we cannot just reuse another action.
• All actions are already here.
• The code I used in this class is very similar to ObjectRemoveAction. It's mostly oldcore quality code. It'd probably need even more quality improvements to be anywhere else and I don't think it's worth spending that much time on rewriting it.

[surli]

I don't think it's worth spending that much time on rewriting it.

Note that I was only talking about moving that class to another package. Now if it's using some package private stuff it's making this more complex indeed.

[tmortagne]

Honestly it does not make much sense to have CommentAddAction here and CommentDeleteAction elsewhere so +1 to keep it here.

[surli]

Nothing to handle the exception?

[Sereza7]

Note that most parts are the same as ObjectRemoveAction. This empty exception handle has been in this other file since 2008 so it seems like it's not a huge problem.
This is bad quality I agree.
I added a log similar to what was done in XWikiAction.java

xwiki-platform/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/XWikiAction.java

Line 385 in 4e2efc8

LOGGER.error("Failed to send error response to AJAX save and continue request.", e);

Addressed in 767daac 👍

[surli]

Hmm really not a fan of this piece of code: at the very least "failed" should be in a String variable and you should eruse it also for the length. Now I'm not sure why you just answer "failed"?

[Sereza7]

Note that this part is pretty much the same as ObjectRemoveAction.
I updated it and also changed ObjectRemoveAction to match these changes.

See 6edbec1 👍

[surli]

And this check is working if you don't have edit right on the doc?

[Sereza7]

From what I can understand of this code I reused from ObjectRemoveAction, this does not check the rights of the current user but the state of the document (whether it's in a saveable state or not). I'm retesting things manually to make sure everything is alright.

[Sereza7]

Okay, I finally figured it out. The authorisation to do this action is handled at the level of XWikiCachingRightService. This is also the reason why we need an independant action even thought it's pretty much the same as object deletion. From what I understand, one action can only be mapped to one right. Setting the other object editions to depend on the Comment right is wrong, we need to separate this into two actions.

[Sereza7]

I can confirm this. I forgot to put the security .jar on my local instance and the action wouldn't go through (with edit rights disabled but comment rights enabled). Updating it as expected fixed the backend permission issue.

[Sereza7]

I'm retesting things manually to make sure everything is alright.

Except for an oldcore exception that's unrelated to this PR, builds are okay.

[surli]

A test class should be provided too.

[Sereza7]

Added a test for this class.

For both the test and the new Java class, I made sure to reformat the code with XWiki standard on Intellij Idea
I successfully passed mvn clean install -f xwiki-platform-core/xwiki-platform-oldcore -Pquality. All that was reported by SonarLint on both of the files are the @MockComponent that are not used in the class , which is a false positive. They are needed for our test class to work properly.

Added the test class in 1579ded 👍

[Sereza7]

This PR is ready for further reviewing.

[surli]

Hmmm I'm not so sure about that change... Yeah I know I commented to have consistency in an early review :)
Have you tested if it actually works to edit a comment for a page in which the comment user doesn't have edit right?

[surli]

Hmm wrong annotation I think: this one takes as values a list of component. I guess you wanted to use @ComponentTest?

[tmortagne]

Note that you should not use @ComponentTest either since you have @OldcoreTest (it's one or the other).

[tmortagne]

Is the indentation change on purpose ?

[tmortagne]

It's a component, so you can inject a Logger (you find this kind of stuff in other actions because they used to not be components, but for new code let's do things by the book).

[tmortagne]

Same comment as above about injected Loggers.

[tmortagne]

mockXWiki = false sounds a bit strange, this was basically introduced for tests of XWiki, but tests not really testing XWiki itself generally don't want to do that

[tmortagne]

Nothing critical but commentremove would feel more consistent with objectremove, especially since it's reusing ObjectRemoveForm.

[tmortagne]

Might worth moving most of this class in some AbstractObjectRemoveAction that would also be extended by ObjectRemoveAction (to me it seems the main different is that CommentRemoveAction would indicate a hardcoded class to AbstractObjectRemoveAction instead of using the one provided by ObjectRemoveForm).

[tmortagne]

Why do you need to create a DocumentReference ?

[tmortagne]

Manipulating the class name does not make sense for this action, since it's always about comments (or only to return an error if someone tried to be clever and use this action to delete another type of xobject with just comment right).