Allow reporting of malicious content

arkirchner · arkirchner · commit f17d4bb2b450 · 2025-06-04T17:54:00.000+02:00
RfCs and Comments on RfCs are user generated content that can be reviewed by other users. This feature can be misused. A simple email based reporting mechanism has been added allow users to report this malicious content. The UI for the RfC comment are part of a separate change. Relates to #2715
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -140,7 +140,7 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
-    csv (3.3.4)
+    csv (3.3.5)
     dachsfisch (1.0.2)
       nokogiri (>= 1.14.1, < 2.0.0)
     date (3.4.1)
@@ -234,7 +234,7 @@ GEM
     js-routes (2.3.5)
       railties (>= 5)
       sorbet-runtime
-    json (2.12.0)
+    json (2.12.2)
     json_schemer (2.4.0)
       bigdecimal
       hana (~> 1.3)
@@ -299,8 +299,8 @@ GEM
     nested_form (0.3.2)
     net-http (0.6.0)
       uri
-    net-http-persistent (4.0.5)
-      connection_pool (~> 2.2)
+    net-http-persistent (4.0.6)
+      connection_pool (~> 2.2, >= 2.2.4)
     net-imap (0.5.8)
       date
       net-protocol
@@ -472,7 +472,7 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.3)
-    rubocop (1.75.7)
+    rubocop (1.75.8)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -795,7 +795,7 @@ CHECKSUMS
   cose (1.3.1) sha256=d5d4dbcd6b035d513edc4e1ab9bc10e9ce13b4011c96e3d1b8fe5e6413fd6de5
   crack (1.0.0) sha256=c83aefdb428cdc7b66c7f287e488c796f055c0839e6e545fec2c7047743c4a49
   crass (1.0.6) sha256=dc516022a56e7b3b156099abc81b6d2b08ea1ed12676ac7a5657617f012bd45d
-  csv (3.3.4) sha256=e96ecd5a8c3494aa5b596282249daba5c6033203c199248e6146e36d2a78d8cd
+  csv (3.3.5) sha256=6e5134ac3383ef728b7f02725d9872934f523cb40b961479f69cf3afa6c8e73f
   dachsfisch (1.0.2) sha256=d8002414310cc8dc5d87d61d04d660f59f4cd095981ba20f09439c5e5b8d3c13
   date (3.4.1) sha256=bf268e14ef7158009bfeaec40b5fa3c7271906e88b196d958a89d4b408abe64f
   debug_inspector (1.2.0) sha256=9bdfa02eebc3da163833e6a89b154084232f5766087e59573b70521c77ea68a2
@@ -844,7 +844,7 @@ CHECKSUMS
   irb (1.15.2) sha256=222f32952e278da34b58ffe45e8634bf4afc2dc7aa9da23fed67e581aa50fdba
   jbuilder (2.13.0) sha256=7200a38a1c0081aa81b7a9757e7a299db75bc58cf1fd45ca7919a91627d227d6
   js-routes (2.3.5) sha256=8279fd3be49916309dfeaee546d659b97986e3edbb47332902e688992b143a4d
-  json (2.12.0) sha256=b30fce000756de94c756679c7e57ed41f03f8cc8dde2d2dc00a7c44005da0a50
+  json (2.12.2) sha256=ba94a48ad265605c8fa9a50a5892f3ba6a02661aa010f638211f3cb36f44abf4
   json_schemer (2.4.0) sha256=56cb6117bb5748d925b33ad3f415b513d41d25d0bbf57fe63c0a78ff05597c24
   jwt (2.10.1) sha256=e6424ae1d813f63e761a04d6284e10e7ec531d6f701917fadcd0d9b2deaf1cc5
   kaminari (1.2.2) sha256=c4076ff9adccc6109408333f87b5c4abbda5e39dc464bd4c66d06d9f73442a3e
@@ -874,7 +874,7 @@ CHECKSUMS
   multi_xml (0.7.2) sha256=307a96dc48613badb7b2fc174fd4e62d7c7b619bc36ea33bfd0c49f64f5787ce
   nested_form (0.3.2) sha256=b1c468d7eac781235861c2f74fc9f675df0c4d915d5724aaf7fd29f7891c0538
   net-http (0.6.0) sha256=9621b20c137898af9d890556848c93603716cab516dc2c89b01a38b894e259fb
-  net-http-persistent (4.0.5) sha256=6e42880b347e650ffeaf679ae59c9d5a6ed8a22cda6e1b959d9c270050aefa8e
+  net-http-persistent (4.0.6) sha256=2abb3a04438edf6cb9e0e7e505969605f709eda3e3c5211beadd621a2c84dd5d
   net-imap (0.5.8) sha256=52aa5fdfc1a8a3df1f793b20a327e95b5a9dfe1d733e1f0d53075d2dbcfcf593
   net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
   net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
@@ -941,7 +941,7 @@ CHECKSUMS
   rspec-mocks (3.13.4) sha256=6bb158a0719c53d522104ed34c0777b884b2c9dc775ce64eaa10207df02ab993
   rspec-rails (8.0.0) sha256=977a508cd94d152db2068c6585470db5d0cd47eef56d5410b9531034fb9d97bf
   rspec-support (3.13.3) sha256=2a61e393f6e18b7228726e0c6869c5d5a1419d37206116c4d917d145276b3f43
-  rubocop (1.75.7) sha256=23566ebb25263f26020687f8abb8aec049f3e29b6a00bdf0aa9d1db16b558be9
+  rubocop (1.75.8) sha256=c80ab4286c5dcfc49d7ad1787cdba5569b63b58c96ee7afde4ec47a9c8a85be9
   rubocop-ast (1.44.1) sha256=e3cc04203b2ef04f6d6cf5f85fe6d643f442b18cc3b23e3ada0ce5b6521b8e92
   rubocop-capybara (2.22.1) sha256=ced88caef23efea53f46e098ff352f8fc1068c649606ca75cb74650970f51c0c
   rubocop-factory_bot (2.27.1) sha256=9d744b5916778c1848e5fe6777cc69855bd96548853554ec239ba9961b8573fe
diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class ReportsController < ApplicationController
+  def create
+    authorize(reported_content, policy_class: ReportPolicy)
+    ReportMailer.with(reported_content:).report_content.deliver_later
+    redirect_back(fallback_location: :root, notice: t('reports.reported'))
+  end
+
+  private
+
+  def reported_content
+    @reported_content ||= GlobalID::Locator.locate(params.require(:global_content_id))
+  end
+end
diff --git a/app/mailers/report_mailer.rb b/app/mailers/report_mailer.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ReportMailer < ApplicationMailer
+  default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
+
+  def report_content
+    @reported_content = params.fetch(:reported_content)
+
+    mail(subject: "Spam Report: A #{@reported_content.class.name} on CodeOcean has been marked as inappropriate.")
+  end
+end
diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class ReportPolicy < ApplicationPolicy
+  def show?
+    reciever_awalible? && @user
+  end
+
+  def create?
+    reciever_awalible? && @user && [RequestForComment, Comment].include?(@record.class)
+  end
+
+  private
+
+  def reciever_awalible?
+    ReportMailer.default_params.fetch(:to).present?
+  end
+end
diff --git a/app/views/report_mailer/report_content.text.erb b/app/views/report_mailer/report_content.text.erb
@@ -0,0 +1,15 @@
+The following content has been reported as inappropriate:
+
+<% case @reported_content %>
+  <% when Comment %>
+    <%= @reported_content.text %>
+  <% when RequestForComment %>
+    <%= @reported_content.question %>
+  <% else %>
+    <% raise("Unexpected reported content: #{@reported_content.class.name}") %>
+<% end %>
+
+Please take action on the admin page if required.
+<%= rails_admin.show_url(
+      model_name: @reported_content.class.name.underscore,
+      id: @reported_content.id) %>
diff --git a/app/views/reports/_button.html.slim b/app/views/reports/_button.html.slim
@@ -0,0 +1,5 @@
+- if policy(:report).show?
+  = button_to t('reports.report'), reports_path,
+      params: {global_content_id: reported_content.to_global_id},
+      data: {confirm: t('reports.confirm')},
+      class: 'btn btn-light btn-sm'
diff --git a/app/views/request_for_comments/show.html.slim b/app/views/request_for_comments/show.html.slim
@@ -28,6 +28,8 @@
       .text
         - question = @request_for_comment.question
         = question.presence || t('request_for_comments.no_question')
+      .text-end
+        = render('reports/button', reported_content: @request_for_comment)
 
     - if policy(@request_for_comment).mark_as_solved? && !@request_for_comment.solved?
       = render('mark_as_solved')
diff --git a/config/code_ocean.yml.ci b/config/code_ocean.yml.ci
@@ -14,3 +14,6 @@ test:
     ca_file: /example/certificates/ca.crt
     token: SECRET
     unused_runner_expiration_time: 180
+  content_moderation:
+    report_emails:
+      - report@example.com
diff --git a/config/code_ocean.yml.example b/config/code_ocean.yml.example
@@ -55,6 +55,10 @@ default: &default
     # be truly greater than any permitted execution time of an execution environment.
     unused_runner_expiration_time: 180
 
+  content_moderation:
+    # Email address to receive reports about inappropriate content.
+    report_emails:
+      # - report@example.com
 
 development:
   <<: *default
diff --git a/config/locales/de/report.yml b/config/locales/de/report.yml
@@ -0,0 +1,6 @@
+---
+de:
+  reports:
+    confirm: Möchten Sie diesen Inhalt melden?
+    report: melden
+    reported: Vielen Dank, dass Sie uns auf dieses Problem aufmerksam gemacht haben. Wir werden uns in Kürze darum kümmern.
diff --git a/config/locales/en/report.yml b/config/locales/en/report.yml
@@ -0,0 +1,6 @@
+---
+en:
+  reports:
+    confirm: Do you want to report this content?
+    report: report
+    reported: Thank you for letting us know about this issue. We look into the matter shorty.
diff --git a/config/routes.rb b/config/routes.rb
@@ -193,6 +193,8 @@
   get 'service-worker', to: 'rails/pwa#service_worker', as: :pwa_service_worker, defaults: {format: :js}
   get 'manifest(.:file_extension)', to: 'rails/pwa#manifest', as: :pwa_manifest, defaults: {format: :webmanifest}, format: false, constraints: {file_extension: %w[json webmanifest]}
 
+  resources :reports, only: :create
+
   # Defines the root path route ("/")
   root to: 'application#welcome'
 end
diff --git a/docs/LOCAL_SETUP.md b/docs/LOCAL_SETUP.md
@@ -158,6 +158,9 @@ do
     cp config/$f.example config/$f
   fi
 done
+
+sed -i.bak 's/^# - mail@example.com/- mail@example.com/' config/code_ocean.yml
+rm config/code_ocean.yml.bak
 ```
 
 Then, you should check all config files manually and adjust settings where necessary for your environment.
diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb
@@ -5,8 +5,8 @@
 RSpec.describe CommentsController do
   render_views
 
-  let(:user) { create(:learner) }
-  let(:rfc_with_comment) { create(:rfc_with_comment, user:) }
+  let(:user) { comment.user }
+  let(:rfc_with_comment) { create(:rfc_with_comment) }
   let(:comment) { rfc_with_comment.comments.first }
   let(:updated_comment) { comment.reload }
   let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
diff --git a/spec/factories/comment.rb b/spec/factories/comment.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :comment do
+    file { create(:rfc).file }
+    user factory: :learner
+    row { 1 }
+    text { "comment on file #{file.id} on #{row}" }
+  end
+end
diff --git a/spec/factories/request_for_comment.rb b/spec/factories/request_for_comment.rb
@@ -12,7 +12,7 @@
 
     factory :rfc_with_comment, class: 'RequestForComment' do
       after(:create) do |rfc|
-        Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
+        create(:comment, file: rfc.file)
       end
     end
   end
diff --git a/spec/mailers/report_mailer_spec.rb b/spec/mailers/report_mailer_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportMailer do
+  describe '#report_content' do
+    subject(:mail) { described_class.with(reported_content:).report_content }
+
+    let(:reported_content) { create(:comment, text: 'Inappropriate content for Comment.') }
+
+    context 'when e RfC is reported' do
+      let(:reported_content) { create(:rfc, question: 'Inappropriate content for RfC.') }
+
+      it 'sets the correct subject' do
+        expect(mail.subject).to eq('Spam Report: A RequestForComment on CodeOcean has been marked as inappropriate.')
+      end
+
+      it 'includes the reported content' do
+        expect(mail.body).to include('Inappropriate content for RfC.')
+      end
+    end
+
+    it 'sets the correct sender' do
+      expect(mail.from).to include('codeocean@openhpi.de')
+    end
+
+    it 'sets the correct subject' do
+      expect(mail.subject).to eq('Spam Report: A Comment on CodeOcean has been marked as inappropriate.')
+    end
+
+    it 'sets the correct receiver' do
+      expect(mail.to).to include('report@example.com')
+    end
+
+    it 'includes the reported content' do
+      expect(mail.body).to include('Inappropriate content for Comment.')
+    end
+  end
+end
diff --git a/spec/policies/report_policy_spec.rb b/spec/policies/report_policy_spec.rb
@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportPolicy do
+  subject(:policy) { described_class }
+
+  permissions(:show?) do
+    it 'grants access to anyone' do
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).to permit(create(factory_name), Comment.new)
+      end
+    end
+
+    it 'dose not allow reports when no report email is configured' do
+      user = build_stubbed(:external_user)
+
+      allow(ReportMailer).to receive(:default_params).and_return(ReportMailer.default_params.merge(to: []))
+
+      expect(policy).not_to permit(user, Comment.new)
+    end
+  end
+
+  permissions(:create?) do
+    it 'grants access to anyone' do
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).to permit(create(factory_name), Comment.new)
+      end
+    end
+
+    it 'dose not allow reports when no report email is configured' do
+      user = build_stubbed(:external_user)
+
+      allow(ReportMailer).to receive(:default_params).and_return(ReportMailer.default_params.merge(to: []))
+
+      expect(policy).not_to permit(user, Comment.new)
+    end
+
+    it 'allows reports on RfCs and Comments' do
+      user = build_stubbed(:external_user)
+
+      expect(policy).to permit(user, Comment.new)
+      expect(policy).to permit(user, RequestForComment.new)
+      expect(policy).not_to permit(user, ExternalUser.new)
+    end
+  end
+end
diff --git a/spec/system/request_for_comments_filter_system_spec.rb b/spec/system/request_for_comments_filter_system_spec.rb
@@ -37,4 +37,18 @@
     visit(request_for_comments_path)
     expect(page).to have_css('ul.pagination')
   end
+
+  it 'allows reporeting of RfCs', :js do
+    request_for_comment = create(:rfc)
+    visit(request_for_comment_path(request_for_comment))
+
+    expect do
+      accept_confirm do
+        click_on 'report'
+      end
+
+      expect(page).to have_text('We have received your Report.')
+    end.to have_enqueued_mail(ReportMailer, :report_content)
+      .with(params: {reported_content: request_for_comment}, args: [])
+  end
 end
diff --git a/spec/views/reports/button.html.silm_spec.rb b/spec/views/reports/button.html.silm_spec.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'reports/button.html.slim' do
+  before do
+    assign(:current_user, build_stubbed(:external_user))
+  end
+
+  it 'displayes the report button when the request is authorized' do
+    report_policy = instance_double(ReportPolicy, show?: true)
+    allow(view).to receive(:policy).with(:report).and_return(report_policy)
+
+    render('reports/button', reported_content: build_stubbed(:comment))
+
+    expect(rendered).to have_button
+  end
+
+  it 'has not report button when reporting is not authorized' do
+    report_policy = instance_double(ReportPolicy, show?: false)
+    allow(view).to receive(:policy).with(:report).and_return(report_policy)
+
+    render('reports/button', reported_content: build_stubbed(:comment))
+
+    expect(rendered).to have_no_button
+  end
+end
