Allow reporting of malicious content

arkirchner · arkirchner · commit f39e2cf8de91 · 2025-06-13T12:26:06.000+02:00
RfCs and Comments on RfCs are user generated content that can be reviewed by other users. This feature can be misused. A simple email based reporting mechanism has been added allow users to report this malicious content. The UI for the RfC comment are part of a separate change. Relates to #2715
diff --git a/app/controllers/request_for_comments_controller.rb b/app/controllers/request_for_comments_controller.rb
@@ -2,7 +2,7 @@
 
 class RequestForCommentsController < ApplicationController
   include CommonBehavior
-  before_action :set_request_for_comment, only: %i[show mark_as_solved set_thank_you_note clear_question]
+  before_action :set_request_for_comment, only: %i[show mark_as_solved set_thank_you_note clear_question report]
   before_action :set_study_group_grouping,
     only: %i[index my_comment_requests rfcs_with_my_comments rfcs_for_exercise]
 
@@ -162,6 +162,15 @@ def create
     authorize!
   end
 
+  # POST /request_for_comments/1/report
+  def report
+    authorize!
+
+    ReportMailer.with(reported_content: @request_for_comment).report_content.deliver_later
+
+    redirect_to(@request_for_comment, notice: t('.report.reported'))
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.
diff --git a/app/mailers/report_mailer.rb b/app/mailers/report_mailer.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+class ReportMailer < ApplicationMailer
+  default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
+
+  def report_content
+    @reported_content = params.fetch(:reported_content)
+
+    mail(subject: I18n.t('report_mailer.report_content.subject', content_name: @reported_content.model_name.human))
+  end
+end
diff --git a/app/policies/request_for_comment_policy.rb b/app/policies/request_for_comment_policy.rb
@@ -41,6 +41,16 @@ def rfcs_with_my_comments?
     everyone
   end
 
+  def report?
+    report_receiver_configured? && !author?
+  end
+
+  private
+
+  def report_receiver_configured?
+    CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails).present?
+  end
+
   def rfc_visibility
     # The consumer with the most restricted visibility determines the visibility of the RfC
     case [@user.consumer.rfc_visibility, @record.author.consumer.rfc_visibility]
diff --git a/app/views/report_mailer/report_content.text.erb b/app/views/report_mailer/report_content.text.erb
@@ -0,0 +1,21 @@
+<%= t('.prolog') %>
+
+<% case @reported_content %>
+  <% when Comment %>
+    <%= @reported_content.text %>
+
+    <%= t('.take_action') %>
+
+    <%= rails_admin.show_url(
+          model_name: 'comment',
+          id: @reported_content.id) %>
+  <% when RequestForComment %>
+    <%= @reported_content.question %>
+
+    <%= t('.take_action') %>
+
+    <%= request_for_comment_url(@reported_content) %>
+  <% else %>
+    <% raise("Unexpected reported content: #{@reported_content.class.name}") %>
+<% end %>
+
diff --git a/app/views/request_for_comments/_report.html.slim b/app/views/request_for_comments/_report.html.slim
@@ -0,0 +1,5 @@
+- if policy(request_for_comment).report?
+  .text-end
+    = button_to t('.report'), report_request_for_comment_path(request_for_comment),
+        data: {confirm: t('.confirm')},
+        class: 'btn btn-light btn-sm'
diff --git a/app/views/request_for_comments/show.html.slim b/app/views/request_for_comments/show.html.slim
@@ -28,6 +28,7 @@
       .text
         - question = @request_for_comment.question
         = question.presence || t('request_for_comments.no_question')
+      = render('report', request_for_comment: @request_for_comment)
 
     - if policy(@request_for_comment).mark_as_solved? && !@request_for_comment.solved?
       = render('mark_as_solved')
diff --git a/config/code_ocean.yml.ci b/config/code_ocean.yml.ci
@@ -14,3 +14,6 @@ test:
     ca_file: /example/certificates/ca.crt
     token: SECRET
     unused_runner_expiration_time: 180
+  content_moderation:
+    report_emails:
+      - report@example.com
diff --git a/config/code_ocean.yml.example b/config/code_ocean.yml.example
@@ -55,6 +55,10 @@ default: &default
     # be truly greater than any permitted execution time of an execution environment.
     unused_runner_expiration_time: 180
 
+  content_moderation:
+    # Email address to receive reports about inappropriate content.
+    report_emails:
+      # - report@example.com
 
 development:
   <<: *default
diff --git a/config/locales/de/report.yml b/config/locales/de/report.yml
@@ -0,0 +1,7 @@
+---
+de:
+  report_mailer:
+    report_content:
+      prolog: 'Die folgenden Inhalte wurden als unangemessen gemeldet:'
+      subject: 'Spam Report: Ein %{content_name} in CodeOcean wurde als unangemessen markiert.'
+      take_action: Bitte ergreifen Sie gegebenenfalls Maßnahmen.
diff --git a/config/locales/de/request_for_comment.yml b/config/locales/de/request_for_comment.yml
@@ -42,6 +42,10 @@ de:
     no_output: Keine Ausgabe.
     no_question: Der/die Autor:in hat keine Frage zu dieser Anfrage gestellt.
     passed: Erfolgreich
+    report:
+      confirm: Möchten Sie diesen Inhalt melden?
+      report: Melden
+      reported: Vielen Dank, dass Sie uns auf dieses Problem aufmerksam gemacht haben. Wir werden uns in Kürze darum kümmern.
     runtime_output: Programmausgabe
     send_thank_you_note: Senden
     show_all: Alle Anfragen anzeigen
diff --git a/config/locales/en/report.yml b/config/locales/en/report.yml
@@ -0,0 +1,7 @@
+---
+en:
+  report_mailer:
+    report_content:
+      prolog: 'The following content has been reported as inappropriate:'
+      subject: 'Spam Report: A %{content_name} on CodeOcean has been marked as inappropriate.'
+      take_action: Please take action if required.
diff --git a/config/locales/en/request_for_comment.yml b/config/locales/en/request_for_comment.yml
@@ -42,6 +42,10 @@ en:
     no_output: No output.
     no_question: The author did not enter a question for this request.
     passed: Passed
+    report:
+      confirm: Do you want to report this content?
+      report: Report
+      reported: Thank you for letting us know about this issue. We will look into the matter shortly.
     runtime_output: Runtime Output
     send_thank_you_note: Send
     show_all: All requests
diff --git a/config/routes.rb b/config/routes.rb
@@ -21,6 +21,7 @@
       get :mark_as_solved, defaults: {format: :json}
       post :set_thank_you_note, defaults: {format: :json}
       post :clear_question
+      post :report
     end
   end
   resources :comments, defaults: {format: :json}
diff --git a/package.json b/package.json
@@ -5,12 +5,12 @@
     "@babel/core": "^7.27.4",
     "@babel/plugin-transform-runtime": "^7.27.4",
     "@babel/preset-env": "^7.27.2",
-    "@babel/runtime": "^7.27.6",
+    "@babel/runtime": "^7.27.4",
     "@egjs/hammerjs": "^2.0.17",
     "@fortawesome/fontawesome-free": "^6.7.2",
     "@github/webauthn-json": "^2.1.1",
     "@popperjs/core": "^2.11.8",
-    "@sentry/browser": "^9.28.1",
+    "@sentry/browser": "^9.25.1",
     "@toast-ui/editor": "^3.2.2",
     "@webpack-cli/serve": "^3.0.1",
     "ace-builds": "^1.42.0",
@@ -38,7 +38,7 @@
     "pnp-webpack-plugin": "^1.7.0",
     "propagating-hammerjs": "^3.0.0",
     "rails_admin": "3.3.0",
-    "sass": "^1.89.2",
+    "sass": "^1.89.1",
     "sass-loader": "^16.0.5",
     "shakapacker": "8.3.0",
     "sortablejs": "^1.15.6",
@@ -51,7 +51,7 @@
     "vis-timeline": "^7.7.4",
     "vis-util": "^5.0.7",
     "webpack": "^5.99.9",
-    "webpack-assets-manifest": "^6.2.1",
+    "webpack-assets-manifest": "^6.1.0",
     "webpack-cli": "^6.0.1",
     "webpack-merge": "^6.0.1",
     "webpack-sources": "^3.3.2",
diff --git a/spec/controllers/comments_controller_spec.rb b/spec/controllers/comments_controller_spec.rb
@@ -5,8 +5,8 @@
 RSpec.describe CommentsController do
   render_views
 
-  let(:user) { create(:learner) }
-  let(:rfc_with_comment) { create(:rfc_with_comment, user:) }
+  let(:user) { comment.user }
+  let(:rfc_with_comment) { create(:rfc_with_comment) }
   let(:comment) { rfc_with_comment.comments.first }
   let(:updated_comment) { comment.reload }
   let(:perform_request) { proc { put :update, format: :json, params: {id: comment.id, comment: comment_params} } }
diff --git a/spec/factories/comment.rb b/spec/factories/comment.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+FactoryBot.define do
+  factory :comment do
+    file { create(:rfc).file }
+    user factory: :learner
+    row { 1 }
+    text { "comment on file #{file.id} on #{row}" }
+  end
+end
diff --git a/spec/factories/request_for_comment.rb b/spec/factories/request_for_comment.rb
@@ -12,7 +12,7 @@
 
     factory :rfc_with_comment, class: 'RequestForComment' do
       after(:create) do |rfc|
-        Comment.create(file: rfc.file, user: rfc.user, row: 1, text: "comment for rfc #{rfc.question}")
+        create(:comment, file: rfc.file)
       end
     end
   end
diff --git a/spec/mailers/report_mailer_spec.rb b/spec/mailers/report_mailer_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ReportMailer do
+  describe '#report_content' do
+    subject(:mail) { described_class.with(reported_content:).report_content }
+
+    let(:reported_content) { create(:comment, text: 'Inappropriate content for Comment.') }
+
+    it 'sets the correct sender' do
+      expect(mail.from).to include('codeocean@openhpi.de')
+    end
+
+    context 'when a RfC is reported' do
+      let(:reported_content) { create(:rfc, question: 'Inappropriate content for RfC.') }
+
+      it 'sets the correct subject' do
+        expect(mail.subject).to eq(I18n.t('report_mailer.report_content.subject', content_name: RequestForComment.model_name.human))
+      end
+
+      it 'includes the reported content' do
+        expect(mail.body).to include('Inappropriate content for RfC.')
+      end
+    end
+
+    context 'when a Comment is reported' do
+      it 'sets the correct subject' do
+        expect(mail.subject).to eq(I18n.t('report_mailer.report_content.subject', content_name: Comment.model_name.human))
+      end
+
+      it 'sets the correct receiver' do
+        expect(mail.to).to include('report@example.com')
+      end
+
+      it 'includes the reported content' do
+        expect(mail.body).to include('Inappropriate content for Comment.')
+      end
+    end
+  end
+end
diff --git a/spec/policies/request_for_comment_policy_spec.rb b/spec/policies/request_for_comment_policy_spec.rb
@@ -307,4 +307,26 @@
       end
     end
   end
+
+  permissions(:report?) do
+    let(:user) { build_stubbed(:external_user) }
+
+    it 'allows anyone to report RfCs' do
+      %i[admin external_user teacher].each do |factory_name|
+        expect(policy).to permit(create(factory_name), Comment.new)
+      end
+    end
+
+    it 'dose not allow reports when no report email is configured' do
+      codeocean_config = instance_double(CodeOcean::Config)
+      allow(CodeOcean::Config).to receive(:new).with(:code_ocean).and_return(codeocean_config)
+      allow(codeocean_config).to receive(:read).and_return({})
+
+      expect(policy).not_to permit(user, RequestForComment.new)
+    end
+
+    it 'dose not allow reports of your own content' do
+      expect(policy).not_to permit(user, Comment.new(user: user))
+    end
+  end
 end
diff --git a/spec/request/request_for_comments_spec.rb b/spec/request/request_for_comments_spec.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'POST /request_for_comments/:rfc_id/report', type: :request do
+  it 'sends an email to let admins know about the report' do
+    user = create(:learner)
+    password = attributes_for(:learner).fetch(:password)
+    login_as(user, password)
+    rfc = create(:rfc)
+
+    expect { post(report_request_for_comment_path(rfc, session: {foo: 'bar'})) }
+      .to have_enqueued_mail(ReportMailer, :report_content)
+      .with(params: {reported_content: rfc}, args: [])
+  end
+end
diff --git a/spec/support/authentication.rb b/spec/support/authentication.rb
@@ -6,6 +6,13 @@ def sign_in(user, password)
   end
 end
 
+module RequestLoginHelper
+  def login_as(user, password)
+    post(sessions_url, params: {email: user.email, password:})
+  end
+end
+
 RSpec.configure do |config|
   config.include Authentication, type: :system
+  config.include RequestLoginHelper, type: :request
 end
diff --git a/spec/system/request_for_comments_filter_system_spec.rb b/spec/system/request_for_comments_filter_system_spec.rb
@@ -37,4 +37,15 @@
     visit(request_for_comments_path)
     expect(page).to have_css('ul.pagination')
   end
+
+  it 'allows reporting of RfCs', :js do
+    request_for_comment = create(:rfc)
+    visit(request_for_comment_path(request_for_comment))
+
+    accept_confirm do
+      click_on I18n.t('request_for_comments.report.report')
+    end
+
+    expect(page).to have_text(I18n.t('request_for_comments.report.reported'))
+  end
 end
diff --git a/spec/views/request_for_comments/report.html.silm_spec.rb b/spec/views/request_for_comments/report.html.silm_spec.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe 'request_for_comments/report.html.slim' do
+  let(:rfc) { build_stubbed(:rfc) }
+
+  before do
+    assign(:current_user, build_stubbed(:external_user))
+  end
+
+  it 'displayes the report button when the request is authorized' do
+    report_policy = instance_double(RequestForCommentPolicy, report?: true)
+    allow(view).to receive(:policy).with(rfc).and_return(report_policy)
+
+    render('request_for_comments/report', request_for_comment: rfc)
+
+    expect(rendered).to have_button
+  end
+
+  it 'has not report button when reporting is not authorized' do
+    report_policy = instance_double(RequestForCommentPolicy, report?: false)
+    allow(view).to receive(:policy).with(rfc).and_return(report_policy)
+
+    render('request_for_comments/report', request_for_comment: rfc)
+
+    expect(rendered).to have_no_button
+  end
+end
diff --git a/yarn.lock b/yarn.lock
