feat: Allow users to report comments (#3016)

Comments can be used to potentially harass users who request comments.
A button was added to report a message as inappropriate.

Resolves #2715

Author: arkirchner

app/assets/stylesheets/request-for-comments.css.scss

@@ -212,6 +212,10 @@ html[data-bs-theme="light"] {
       button {
         margin-right: 5px;
       }
+
+      .action-report {
+        margin-left: auto;
+      }
     }
   }
 }

app/controllers/comments_controller.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class CommentsController < ApplicationController
-  before_action :set_comment, only: %i[show update destroy]
+  before_action :set_comment, only: %i[show update destroy report]
 
   def authorize!
     authorize(@comment || @comments)
@@ -15,12 +15,6 @@ def index
     submission = Submission.find_by(id: file.context_id)
     if submission
       @comments = Comment.where(file_id: params[:file_id])
-      @comments.map do |comment|
-        comment.username = comment.user.displayname
-        comment.date = comment.created_at.strftime('%d.%m.%Y %k:%M')
-        comment.updated = (comment.created_at != comment.updated_at)
-        comment.editable = policy(comment).edit?
-      end
     else
       @comments = []
     end
@@ -67,6 +61,15 @@ def destroy
     head :no_content
   end
 
+  # POST /comments/1/report.json
+  def report
+    authorize!
+
+    UserContentReportMailer.with(reported_content: @comment).report_content.deliver_later
+
+    head :no_content
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.

app/controllers/request_for_comments_controller.rb

@@ -167,9 +167,9 @@ def create
   def report
     authorize!
 
-    ReportMailer.with(reported_content: @request_for_comment).report_content.deliver_later
+    UserContentReportMailer.with(reported_content: @request_for_comment).report_content.deliver_later
 
-    redirect_to @request_for_comment, notice: t('.report.reported'), status: :see_other
+    redirect_to @request_for_comment, notice: t('.reported'), status: :see_other
   end
 
   private

app/javascript/sprocket-asset-import/request-for-comments.js

@@ -112,9 +112,10 @@ $(document).on('turbo-migration:load', function () {
           </div> \
           <div class="comment-content">' + commentText + '</div> \
           <textarea class="comment-editor">' + commentText + '</textarea> \
-          <div class="comment-actions' + (comment.editable ? '' : ' d-none') + '"> \
-            <button class="action-edit btn btn-sm btn-warning">' + I18n.t('shared.edit') + '</button> \
-            <button class="action-delete btn btn-sm btn-danger">' + I18n.t('shared.destroy') + '</button> \
+          <div class="comment-actions' + (comment.editable || comment.reportable ? '' : ' d-none') + '"> \
+            <button class="action-edit btn btn-sm btn-warning' + (comment.editable ? '' : ' d-none') + '">' + I18n.t('shared.edit') + '</button> \
+            <button class="action-delete btn btn-sm btn-danger' + (comment.editable ? '' : ' d-none') + '">' + I18n.t('shared.destroy') + '</button> \
+            <button class="action-report btn btn-light btn-sm' + (comment.reportable ? '' : ' d-none') + '">' + I18n.t('shared.report') + '</button> \
           </div> \
         </div>';
         });
@@ -166,6 +167,17 @@ $(document).on('turbo-migration:load', function () {
         })
     }
 
+    function reportComment(commentId, callback) {
+        const jqxhr = $.ajax({
+            type: 'POST',
+            url: Routes.report_comment_path(commentId)
+        });
+        jqxhr.done(function () {
+            callback();
+        });
+        jqxhr.fail(ajaxError);
+    }
+
     function deleteComment(commentId, editor, file_id, callback) {
         const jqxhr = $.ajax({
             type: 'DELETE',
@@ -313,6 +325,17 @@ $(document).on('turbo-migration:load', function () {
             const container = otherComments.find('.container');
             container.html(htmlContent);
 
+            const reportButtons = container.find('.action-report');
+            reportButtons.on('click', function (event) {
+                const button = $(event.target);
+                const parent = $(button).parent().parent();
+                const commentId = parent.data('comment-id');
+
+                reportComment(commentId, function () {
+                  parent.html('<div class="comment-reported">' + I18n.t('comments.reported') + '</div>');
+                });
+            });
+
             const deleteButtons = container.find('.action-delete');
             deleteButtons.on('click', function (event) {
                 const button = $(event.target);

app/mailers/report_mailer.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class UserContentReportMailer < ApplicationMailer
+  default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
+
+  def report_content
+    @user_content_report = UserContentReport.new(reported_content: params.fetch(:reported_content))
+
+    mail(subject: I18n.t('user_content_report_mailer.report_content.subject', human_model_name: @user_content_report.human_model_name))
+  end
+end

app/mailers/user_content_report_mailer.rb

@@ -5,8 +5,6 @@ class Comment < ApplicationRecord
   include Creation
   include ActionCableHelper
 
-  attr_accessor :username, :date, :updated, :editable
-
   belongs_to :file, class_name: 'CodeOcean::File'
   has_one :submission, through: :file, source: :context, source_type: 'Submission'
   has_one :request_for_comment, through: :submission

app/models/comment.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 class CommentPolicy < ApplicationPolicy
+  REPORT_RECEIVER_CONFIGURED = CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails).present?
+
   def create?
-    everyone
+    show?
   end
 
   def show?
-    everyone
+    Pundit.policy(@user, @record.request_for_comment).show? && everyone
   end
 
   %i[destroy? update? edit?].each do |action|
@@ -16,4 +18,8 @@ def show?
   def index?
     everyone
   end
+
+  def report?
+    REPORT_RECEIVER_CONFIGURED && show? && !author?
+  end
 end

app/policies/comment_policy.rb

@@ -1,6 +1,11 @@
 # frozen_string_literal: true
 
 json.array!(@comments) do |comment|
-  json.extract! comment, :id, :user_id, :file_id, :row, :column, :text, :username, :date, :updated, :editable
+  json.extract! comment, :id, :user_id, :file_id, :row, :column, :text
+  json.username comment.user.displayname
+  json.date comment.created_at.strftime('%d.%m.%Y %k:%M')
+  json.updated(comment.created_at != comment.updated_at)
+  json.editable policy(comment).edit?
+  json.reportable policy(comment).report?
   json.url comment_url(comment, format: :json)
 end