Allow reporting of malicious content

arkirchner · arkirchner · commit 9631f0536ab4 · 2025-06-04T17:41:28.000+02:00
RfCs and Comments on RfCs are user generated content that can be
reviewed by other users. This feature can be misused. A simple
email based reporting mechanism has been added allow users to
report this malicious content.

The UI for the RfC comment are part of a separate change.
diff --git a/Gemfile b/Gemfile
@@ -64,6 +64,7 @@ gem 'sentry-rails' # rubocop:disable Bundler/OrderedGems
 gem 'sentry-ruby'
 
 group :development do
+  gem 'ruby-lsp'
   gem 'web-console'
 end
 
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -442,6 +442,8 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
+    rbs (3.9.4)
+      logger
     rbtree (0.4.6)
     rdoc (6.14.0)
       erb
@@ -509,6 +511,11 @@ GEM
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
       rubocop-rspec (~> 3.5)
+    ruby-lsp (0.23.21)
+      language_server-protocol (~> 3.17.0)
+      prism (>= 1.2, < 2.0)
+      rbs (>= 3, < 4)
+      sorbet-runtime (>= 0.5.10782)
     ruby-progressbar (1.13.0)
     ruby-vips (2.2.3)
       ffi (~> 1.12)
@@ -730,6 +737,7 @@ DEPENDENCIES
   rubocop-rails
   rubocop-rspec
   rubocop-rspec_rails
+  ruby-lsp
   rubytree
   rubyzip
   sassc-rails
@@ -928,6 +936,7 @@ CHECKSUMS
   ransack (4.3.0) sha256=48e141814eb4af8a5cc4e9890b7a088fe818c9996c6b8c846f11104b4c12e8b1
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.11.1) sha256=a0a700441239b0ff18eb65e3866236cd78613d6b9f78fea1f9ac47a85e47be6e
+  rbs (3.9.4) sha256=8e42c8f133fc2d94b65f62f34479546de1247b79892b57584f625b61e518a5d7
   rbtree (0.4.6) sha256=14eea4469b24fd2472542e5f3eb105d6344c8ccf36f0b56d55fdcfeb4e0f10fc
   rdoc (6.14.0) sha256=2c46de58d7129b8743fcf6d76e3db971bdc914150e15ac06b386549bd82ed7db
   regexp_parser (2.10.0) sha256=cb6f0ddde88772cd64bff1dbbf68df66d376043fe2e66a9ef77fcb1b0c548c61
@@ -949,6 +958,7 @@ CHECKSUMS
   rubocop-rails (2.32.0) sha256=9fcc623c8722fe71e835e99c4a18b740b5b0d3fb69915d7f0777f00794b30490
   rubocop-rspec (3.6.0) sha256=c0e4205871776727e54dee9cc91af5fd74578001551ba40e1fe1a1ab4b404479
   rubocop-rspec_rails (2.31.0) sha256=775375e18a26a1184a812ef3054b79d218e85601b9ae897f38f8be24dddf1f45
+  ruby-lsp (0.23.21) sha256=164f2e2d16b75930d1a0dd2ec28a5320f22ac9910defe5ab433467c431b99be0
   ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
   ruby-vips (2.2.3) sha256=41d12b1a805cd6ead4a7965201a8f7c5fe459bb58d3a7d967c9eb0719a6edc92
   rubytree (2.1.1) sha256=4925016356a81730e982f1f8c3b5f8da461f18906c77d238bad4c4ba896abd41
diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class ReportsController < ApplicationController
+  def create
+    authorize(reported_content, policy_class: ReportPolicy)
+    ReportMailer.with(reported_content:).report_content.deliver_later
+    redirect_back(fallback_location: :root, notice: t('reports.reported'))
+  end
+
+  private
+
+  def reported_content
+    @reported_content ||= GlobalID::Locator.locate(params.require(:global_content_id))
+  end
+end
diff --git a/app/mailers/report_mailer.rb b/app/mailers/report_mailer.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ReportMailer < ApplicationMailer
+  default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
+
+  def report_content
+    @reported_content = params.fetch(:reported_content)
+
+    mail(subject: "Spam Report: A #{@reported_content.class.name} on CodeOcean has been marked as inappropriate.")
+  end
+end
diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class ReportPolicy < ApplicationPolicy
+  def show?
+    reciever_awalible? && @user
+  end
+
+  def create?
+    reciever_awalible? && @user && [RequestForComment, Comment].include?(@record.class)
+  end
+
+  private
+
+  def reciever_awalible?
+    ReportMailer.default_params.fetch(:to).present?
+  end
+end
diff --git a/app/views/report_mailer/report_content.text.erb b/app/views/report_mailer/report_content.text.erb
@@ -0,0 +1,15 @@
+The following content has been reported as inappropriate:
+
+<% case @reported_content %>
+  <% when Comment %>
+    <%= @reported_content.text %>
+  <% when RequestForComment %>
+    <%= @reported_content.question %>
+  <% else %>
+    <% raise("Unexpected reported content: #{@reported_content.class.name}") %>
+<% end %>
+
+Please take action on the admin page if required.
+<%= rails_admin.show_url(
+      model_name: @reported_content.class.name.underscore,
+      id: @reported_content.id) %>
diff --git a/app/views/reports/_button.html.slim b/app/views/reports/_button.html.slim
@@ -0,0 +1,5 @@
+- if policy(:report).show?
+  = button_to t('reports.report'), reports_path,
+      params: { global_content_id: reported_content.to_global_id },
+      data: { confirm: t('reports.confirm') },
+      class: 'btn btn-light btn-sm'
diff --git a/app/views/request_for_comments/show.html.slim b/app/views/request_for_comments/show.html.slim
@@ -28,6 +28,8 @@
       .text
         - question = @request_for_comment.question
         = question.presence || t('request_for_comments.no_question')
+      .text-end
+        = render('reports/button', reported_content: @request_for_comment)
 
     - if policy(@request_for_comment).mark_as_solved? && !@request_for_comment.solved?
       = render('mark_as_solved')
diff --git a/config/code_ocean.yml.ci b/config/code_ocean.yml.ci
@@ -14,3 +14,6 @@ test:
     ca_file: /example/certificates/ca.crt
     token: SECRET
     unused_runner_expiration_time: 180
+  content_moderation:
+    report_emails:
+      - report@example.com
diff --git a/config/code_ocean.yml.example b/config/code_ocean.yml.example
@@ -55,6 +55,10 @@ default: &default
     # be truly greater than any permitted execution time of an execution environment.
     unused_runner_expiration_time: 180
 
+  content_moderation:
+    # Email address to receive reports about inappropriate content.
+    report_emails:
+      # - report@example.com
 
 development:
   <<: *default
diff --git a/config/locales/de/report.yml b/config/locales/de/report.yml
@@ -0,0 +1,6 @@
+---
+de:
+  reports:
+    confirm: Möchten Sie diesen Inhalt melden?
+    report: melden
+    reported: Vielen Dank, dass Sie uns auf dieses Problem aufmerksam gemacht haben. Wir werden uns in Kürze darum kümmern.
diff --git a/config/locales/en/report.yml b/config/locales/en/report.yml
@@ -0,0 +1,6 @@
+---
+en:
+  reports:
+    confirm: Do you want to report this content?
+    report: report
+    reported: Thank you for letting us know about this issue. We look into the matter shorty.
diff --git a/config/routes.rb b/config/routes.rb
@@ -193,6 +193,8 @@
   get 'service-worker', to: 'rails/pwa#service_worker', as: :pwa_service_worker, defaults: {format: :js}
   get 'manifest(.:file_extension)', to: 'rails/pwa#manifest', as: :pwa_manifest, defaults: {format: :webmanifest}, format: false, constraints: {file_extension: %w[json webmanifest]}
 
+  resources :reports, only: :create
+
   # Defines the root path route ("/")
   root to: 'application#welcome'
 end
diff --git a/docs/LOCAL_SETUP.md b/docs/LOCAL_SETUP.md
@@ -158,6 +158,9 @@ do
     cp config/$f.example config/$f
   fi
 done
+
+sed -i.bak 's/^# - mail@example.com/- mail@example.com/' config/code_ocean.yml
+rm config/code_ocean.yml.bak
 ```
 
 Then, you should check all config files manually and adjust settings where necessary for your environment.
diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb
@@ -5,8 +5,8 @@
 RSpec.describe CommentsController do
   render_views
 
-  let(:user) { create(:learner) }
-  let(:rfc_with_comment) { create(:rfc_with_comment, user:) }
+  let(:user) { comment.user }
+  let(:rfc_with_comment) { create(:rfc_with_comment) }
   let(:comment) { rfc_with_comment.comments.first }
   let(:updated_comment) { comment.reload }
   let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
diff --git a/spec/factories/comment.rb b/spec/factories/comment.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :comment do
+    file { create(:rfc).file }
+    user factory: :learner
+    row { 1 }
+    text { "comment on file #{file.id} on #{row}" }
+  end
+end
diff --git a/spec/factories/request_for_comment.rb b/spec/factories/request_for_comment.rb
@@ -12,7 +12,7 @@
 
     factory :rfc_with_comment, class: 'RequestForComment' do
       after(:create) do |rfc|
-        Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
+        create(:comment, file: rfc.file)
       end
     end
   end
diff --git a/spec/mailers/report_mailer_spec.rb b/spec/mailers/report_mailer_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportMailer do
+  describe '#report_content' do
+    subject(:mail) { described_class.with(reported_content:).report_content }
+
+    let(:reported_content) { create(:comment, text: 'Inappropriate content for Comment.') }
+
+    context 'when e RfC is reported' do
+      let(:reported_content) { create(:rfc, question: 'Inappropriate content for RfC.') }
+
+      it 'sets the correct subject' do
+        expect(mail.subject).to eq('Spam Report: A RequestForComment on CodeOcean has been marked as inappropriate.')
+      end
+
+      it 'includes the reported content' do
+        expect(mail.body).to include('Inappropriate content for RfC.')
+      end
+    end
+
+    it 'sets the correct sender' do
+      expect(mail.from).to include('codeocean@openhpi.de')
+    end
+
+    it 'sets the correct subject' do
+      expect(mail.subject).to eq('Spam Report: A Comment on CodeOcean has been marked as inappropriate.')
+    end
+
+    it 'sets the correct receiver' do
+      expect(mail.to).to include('report@example.com')
+    end
+
+    it 'includes the reported content' do
+      expect(mail.body).to include('Inappropriate content for Comment.')
+    end
+  end
+end
diff --git a/spec/policies/report_policy_spec.rb b/spec/policies/report_policy_spec.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportPolicy do
+  subject(:policy) { described_class }
+
+  permissions(:show?) do
+    it 'grants access to anyone' do
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).to permit(create(factory_name), Comment.new)
+      end
+    end
+
+    it 'dose not allow reports when no report email is configured' do
+      user = build_stubbed(:external_user)
+
+      allow(ReportMailer).to receive(:default_params).and_return(ReportMailer.default_params.merge(to: []))
+
+      expect(policy).not_to permit(user, Comment.new)
+    end
+  end
+
+  permissions(:create?) do
+    it 'grants access to anyone' do
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).to permit(create(factory_name), Comment.new)
+      end
+    end
+
+    it 'dose not allow reports when no report email is configured' do
+      user = build_stubbed(:external_user)
+
+      allow(ReportMailer).to receive(:default_params).and_return(ReportMailer.default_params.merge(to: []))
+
+      expect(policy).not_to permit(user, Comment.new)
+    end
+
+    it 'allows reports on RfCs and Comments' do
+      user = build_stubbed(:external_user)
+
+      expect(policy).to permit(user, Comment.new)
+      expect(policy).to permit(user, RequestForComment.new)
+      expect(policy).not_to permit(user, ExternalUser.new)
+    end
+  end
+end
diff --git a/spec/system/request_for_comments_filter_system_spec.rb b/spec/system/request_for_comments_filter_system_spec.rb
@@ -37,4 +37,18 @@
     visit(request_for_comments_path)
     expect(page).to have_css('ul.pagination')
   end
+
+  it 'allows reporeting of RfCs', :js do
+    request_for_comment = create(:rfc)
+    visit(request_for_comment_path(request_for_comment))
+
+    expect do
+      accept_confirm do
+        click_on 'report'
+      end
+
+      expect(page).to have_text('We have received your Report.')
+    end.to have_enqueued_mail(ReportMailer, :report_content)
+      .with(params: {reported_content: request_for_comment}, args: [])
+  end
 end
diff --git a/spec/views/reports/button.html.silm_spec.rb b/spec/views/reports/button.html.silm_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'reports/button.html.slim' do
+  before do
+    assign(:current_user, build_stubbed(:external_user))
+  end
+
+  it 'displayes the report button when the request is authorized' do
+    report_policy = instance_double(ReportPolicy, show?: true)
+    allow(view).to receive(:policy).with(:report).and_return(report_policy)
+
+    render('reports/button', reported_content: build_stubbed(:comment))
+
+    expect(rendered).to have_button
+  end
+
+  it 'has not report button when reporting is not authorized' do
+    report_policy = instance_double(ReportPolicy, show?: false)
+    allow(view).to receive(:policy).with(:report).and_return(report_policy)
+
+    render('reports/button', reported_content: build_stubbed(:comment))
+
+    expect(rendered).to have_no_button
+  end
+end
