Allow only one appeal from an email address. (#8163)

isoos · web-flow · commit 4fc7b48de31e · 2024-10-18T15:15:10.000+02:00
diff --git a/app/lib/admin/backend.dart b/app/lib/admin/backend.dart
@@ -929,4 +929,16 @@ class AdminBackend {
       _logger.info('Deleting moderated user: ${user.userId}');
     }
   }
+
+  /// Whether the [ModerationCase] has been appealed by [email] already.
+  Future<bool> isModerationCaseAppealedByEmail({
+    required String caseId,
+    required String email,
+  }) async {
+    final query = dbService.query<ModerationCase>()
+      ..filter('appealedCaseId =', caseId);
+    final list = await query.run().toList();
+    final emails = list.map((mc) => mc.reporterEmail).toSet();
+    return emails.contains(email);
+  }
 }
diff --git a/app/lib/frontend/handlers/report.dart b/app/lib/frontend/handlers/report.dart
@@ -206,6 +206,17 @@ Future<Message> processReportPageHandler(
 
   final isAppeal = form.caseId != null;
 
+  if (isAppeal) {
+    final appealExists = await adminBackend.isModerationCaseAppealedByEmail(
+      caseId: form.caseId!,
+      email: userEmail!,
+    );
+    if (appealExists) {
+      throw InvalidInputException(
+          'You have previously appealed this incident, we are unable to accept another appeal.');
+    }
+  }
+
   bool isSubjectOwner = false;
   if (user != null) {
     if (subject.isPackage) {
diff --git a/app/test/frontend/handlers/report_test.dart b/app/test/frontend/handlers/report_test.dart
@@ -363,11 +363,13 @@ void main() {
       );
     });
 
-    testWithProfile('unauthenticated appeal success', fn: () async {
+    testWithProfile('unauthenticated appeal success, second appeal fails',
+        fn: () async {
       await _prepareApplied(
         logSubject: 'package-version:oxygen/1.2.0',
       );
 
+      // first report: success
       await withHttpPubApiClient(
         fn: (client) async {
           final msg = await client.postReport(ReportForm(
@@ -396,6 +398,22 @@ void main() {
           expect(mc.isSubjectOwner, false);
         },
       );
+
+      // second report: rejected
+      await withHttpPubApiClient(fn: (client) async {
+        await expectApiException(
+          client.postReport(ReportForm(
+            email: 'user2@pub.dev',
+            subject: 'package-version:oxygen/1.2.0',
+            caseId: 'case/1',
+            message: 'Huston, we have a problem.',
+          )),
+          code: 'InvalidInput',
+          status: 400,
+          message:
+              'You have previously appealed this incident, we are unable to accept another appeal.',
+        );
+      });
     });
 
     testWithProfile('authenticated appeal success', fn: () async {

Original file line number	Diff line number	Diff line change
`@@ -929,4 +929,16 @@ class AdminBackend {`
`929`	`929`	`_logger.info('Deleting moderated user: ${user.userId}');`
`930`	`930`	`}`
`931`	`931`	`}`
	`932`	`+`
	`933`	`+ /// Whether the [ModerationCase] has been appealed by [email] already.`
	`934`	`+ Future<bool> isModerationCaseAppealedByEmail({`
	`935`	`+ required String caseId,`
	`936`	`+ required String email,`
	`937`	`+ }) async {`
	`938`	`+ final query = dbService.query<ModerationCase>()`
	`939`	`+ ..filter('appealedCaseId =', caseId);`
	`940`	`+ final list = await query.run().toList();`
	`941`	`+ final emails = list.map((mc) => mc.reporterEmail).toSet();`
	`942`	`+ return emails.contains(email);`
	`943`	`+ }`
`932`	`944`	`}`