RfCs: Allow reporting of inappropriate content (#2946)

arkirchner · nenock · MrSerth · web-flow · commit 75b9297a2171 · 2025-07-02T10:44:59.000+02:00
RfCs are user-generated content that can be reviewed by other users. This feature can be misused. A simple email-based reporting mechanism has been added, to allow users to report malicious content. The UI for the RfC comment are part of a separate change. Relates to #2715 Co-authored-by: Nele Sina Noack <nele.noack@hpi.de> Co-authored-by: Sebastian Serth <sebastian.serth@hpi.de>
diff --git a/app/controllers/request_for_comments_controller.rb b/app/controllers/request_for_comments_controller.rb
@@ -2,7 +2,7 @@
 
 class RequestForCommentsController < ApplicationController
   include CommonBehavior
-  before_action :set_request_for_comment, only: %i[show mark_as_solved set_thank_you_note clear_question]
+  before_action :set_request_for_comment, only: %i[show mark_as_solved set_thank_you_note clear_question report]
   before_action :set_study_group_grouping,
     only: %i[index my_comment_requests rfcs_with_my_comments rfcs_for_exercise]
 
@@ -162,6 +162,15 @@ def create
     authorize!
   end
 
+  # POST /request_for_comments/1/report
+  def report
+    authorize!
+
+    ReportMailer.with(reported_content: @request_for_comment).report_content.deliver_later
+
+    redirect_to(@request_for_comment, notice: t('.report.reported'))
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
diff --git a/app/mailers/report_mailer.rb b/app/mailers/report_mailer.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ReportMailer < ApplicationMailer
+  default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
+
+  def report_content
+    @reported_content = params.fetch(:reported_content)
+
+    mail(subject: I18n.t('report_mailer.report_content.subject', content_name: @reported_content.model_name.human))
+  end
+end
diff --git a/app/policies/request_for_comment_policy.rb b/app/policies/request_for_comment_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class RequestForCommentPolicy < ApplicationPolicy
+  REPORT_RECEIVER_CONFIGURED = CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails).present?
+
   def create?
     everyone
   end
@@ -41,6 +43,12 @@ def rfcs_with_my_comments?
     everyone
   end
 
+  def report?
+    REPORT_RECEIVER_CONFIGURED && show? && !author?
+  end
+
+  private
+
   def rfc_visibility
     # The consumer with the most restricted visibility determines the visibility of the RfC
     case [@user.consumer.rfc_visibility, @record.author.consumer.rfc_visibility]
diff --git a/app/views/report_mailer/report_content.html.slim b/app/views/report_mailer/report_content.html.slim
@@ -0,0 +1,4 @@
+h3 = t('.prolog')
+blockquote style="white-space: pre-wrap;" = @reported_content.question
+p = t('.take_action')
+p = link_to(request_for_comment_url(@reported_content), request_for_comment_url(@reported_content))
diff --git a/app/views/report_mailer/report_content.text.slim b/app/views/report_mailer/report_content.text.slim
@@ -0,0 +1,7 @@
+== t('.prolog')
+== "\n\n"
+== @reported_content.question.lines.map { "> #{it}" }.join
+== "\n\n"
+== t('.take_action')
+== "\n\n"
+== request_for_comment_url(@reported_content)
diff --git a/app/views/request_for_comments/_report.html.slim b/app/views/request_for_comments/_report.html.slim
@@ -0,0 +1,7 @@
+/# locals: (request_for_comment:)
+
+- if policy(request_for_comment).report?
+  = button_to t('.report'), report_request_for_comment_path(request_for_comment),
+      data: {confirm: t('.confirm')},
+      class: 'btn btn-light btn-sm',
+      form: {class: 'd-inline float-end'}
diff --git a/app/views/request_for_comments/show.html.slim b/app/views/request_for_comments/show.html.slim
@@ -25,6 +25,7 @@
     .question
       h5.mt-4
         = RequestForComment.human_attribute_name('question')
+        = render('report', request_for_comment: @request_for_comment)
       .text
         - question = @request_for_comment.question
         = question.presence || t('request_for_comments.no_question')
diff --git a/config/code_ocean.yml.example b/config/code_ocean.yml.example
@@ -55,13 +55,22 @@ default: &default
     # be truly greater than any permitted execution time of an execution environment.
     unused_runner_expiration_time: 180
 
+  content_moderation:
+    # Learners can report inappropriate content, such as offensive RfCs or comments.
+    # For each report, an email is sent to all addresses listed below. If no address is
+    # configured, learners cannot report user-generated content.
+    report_emails:
+      # - report@example.com
 
 development:
   <<: *default
   flowr:
     enabled: true
   codeharbor:
     enabled: true
+  content_moderation:
+    report_emails:
+      - report@example.com
 
 
 production:
diff --git a/config/locales/de/report.yml b/config/locales/de/report.yml
@@ -0,0 +1,7 @@
+---
+de:
+  report_mailer:
+    report_content:
+      prolog: 'Die folgenden Inhalte wurden als unangemessen gemeldet:'
+      subject: 'Spam Report: Ein %{content_name} in CodeOcean wurde als unangemessen markiert.'
+      take_action: Bitte ergreifen Sie gegebenenfalls Maßnahmen.
diff --git a/config/locales/de/request_for_comment.yml b/config/locales/de/request_for_comment.yml
@@ -42,6 +42,10 @@ de:
     no_output: Keine Ausgabe.
     no_question: Der/die Autor:in hat keine Frage zu dieser Anfrage gestellt.
     passed: Erfolgreich
+    report:
+      confirm: Möchten Sie diesen Inhalt melden?
+      report: Melden
+      reported: Vielen Dank, dass Sie uns auf dieses Problem aufmerksam gemacht haben. Wir werden uns in Kürze darum kümmern.
     runtime_output: Programmausgabe
     send_thank_you_note: Senden
     show_all: Alle Anfragen anzeigen
diff --git a/config/locales/en/report.yml b/config/locales/en/report.yml
@@ -0,0 +1,7 @@
+---
+en:
+  report_mailer:
+    report_content:
+      prolog: 'The following content has been reported as inappropriate:'
+      subject: 'Spam Report: A %{content_name} on CodeOcean has been marked as inappropriate.'
+      take_action: Please take action if required.
diff --git a/config/locales/en/request_for_comment.yml b/config/locales/en/request_for_comment.yml
@@ -42,6 +42,10 @@ en:
     no_output: No output.
     no_question: The author did not enter a question for this request.
     passed: Passed
+    report:
+      confirm: Do you want to report this content?
+      report: Report
+      reported: Thank you for letting us know about this issue. We will look into the matter shortly.
     runtime_output: Runtime Output
     send_thank_you_note: Send
     show_all: All requests
diff --git a/config/routes.rb b/config/routes.rb
@@ -21,6 +21,7 @@
       get :mark_as_solved, defaults: {format: :json}
       post :set_thank_you_note, defaults: {format: :json}
       post :clear_question
+      post :report
     end
   end
   resources :comments, defaults: {format: :json}
diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb
@@ -5,8 +5,8 @@
 RSpec.describe CommentsController do
   render_views
 
-  let(:user) { create(:learner) }
-  let(:rfc_with_comment) { create(:rfc_with_comment, user:) }
+  let(:user) { comment.user }
+  let(:rfc_with_comment) { create(:rfc_with_comment) }
   let(:comment) { rfc_with_comment.comments.first }
   let(:updated_comment) { comment.reload }
   let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
diff --git a/spec/factories/comment.rb b/spec/factories/comment.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :comment do
+    file { create(:rfc).file }
+    user factory: :learner
+    row { 1 }
+    text { "comment on file #{file.id} on #{row}" }
+  end
+end
diff --git a/spec/factories/request_for_comment.rb b/spec/factories/request_for_comment.rb
@@ -12,7 +12,7 @@
 
     factory :rfc_with_comment, class: 'RequestForComment' do
       after(:create) do |rfc|
-        Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
+        create(:comment, file: rfc.file)
       end
     end
   end
diff --git a/spec/mailers/previews/report_mailer_preview.rb b/spec/mailers/previews/report_mailer_preview.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class ReportMailerPreview < ActionMailer::Preview
+  def report
+    rfc = FactoryBot.build_stubbed(:rfc)
+
+    ReportMailer.with(reported_content: rfc).report_content
+  end
+end
diff --git a/spec/mailers/report_mailer_spec.rb b/spec/mailers/report_mailer_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportMailer do
+  describe '#report_content' do
+    subject(:mail) { described_class.with(reported_content:).report_content }
+
+    context 'when an RfC is reported' do
+      let(:question) { 'Inappropriate content for RfC.' }
+      let(:reported_content) { create(:rfc, question:) }
+
+      it 'sets the correct sender' do
+        expect(mail.from).to include('codeocean@openhpi.de')
+      end
+
+      it 'sets the correct subject' do
+        expect(mail.subject).to eq(I18n.t('report_mailer.report_content.subject', content_name: RequestForComment.model_name.human))
+      end
+
+      it 'includes the reported content' do
+        expect(mail.text_part.body).to include(question)
+        expect(mail.html_part.body).to include(question)
+      end
+    end
+  end
+end
diff --git a/spec/policies/request_for_comment_policy_spec.rb b/spec/policies/request_for_comment_policy_spec.rb
diff --git a/spec/request/request_for_comments_spec.rb b/spec/request/request_for_comments_spec.rb
diff --git a/spec/system/report_request_for_comments_system_spec.rb b/spec/system/report_request_for_comments_system_spec.rb
