Merge pull request #218 from taigaio/seralot/20260102/protect-endpoints-comments-us

CarlosLVar · web-flow · commit da40761b52e8 · 2026-01-09T08:28:15.000+01:00
Fix: Prevent editing/deleting user story comments in blocked projects
diff --git a/taiga/projects/history/api.py b/taiga/projects/history/api.py
@@ -9,6 +9,7 @@
 from django.utils.translation import gettext as _
 from django.utils import timezone
 
+from taiga.base import exceptions as exc
 from taiga.base import response
 from taiga.base.decorators import detail_route
 from taiga.base.api import ReadOnlyListViewSet
@@ -53,6 +54,13 @@ def _get_new_mentions(self, obj: object, old_comment: str, new_comment: str):
         submitted_mentions = notifications_services.get_mentions(obj, new_comment)
         return list(set(submitted_mentions) - set(old_mentions))
 
+    def _raise_if_project_blocked_or_archived(self, project):
+        if project.blocked_code:
+            raise exc.Blocked(_("Blocked element"))
+
+        if project.is_archived:
+            raise exc.PermissionDenied("Archived element")
+
     @detail_route(methods=['get'])
     def comment_versions(self, request, pk):
         obj = self.get_object()
@@ -73,8 +81,7 @@ def comment_versions(self, request, pk):
     def edit_comment(self, request, pk):
         obj = self.get_object()
 
-        if obj.project.is_archived:
-            return response.Forbidden({"error": _("Project is archived")})
+        self._raise_if_project_blocked_or_archived(obj.project)
 
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
@@ -126,8 +133,7 @@ def edit_comment(self, request, pk):
     def delete_comment(self, request, pk):
         obj = self.get_object()
 
-        if obj.project.is_archived:
-            return response.Forbidden({"error": _("Project is archived")})
+        self._raise_if_project_blocked_or_archived(obj.project)
 
         history_entry_id = request.QUERY_PARAMS.get('id', None)
         history_entry = services.get_history_queryset_by_model_instance(obj).filter(id=history_entry_id).first()
diff --git a/tests/integration/test_history.py b/tests/integration/test_history.py
@@ -15,7 +15,7 @@
 from .. import factories as f
 
 from taiga.base.utils import json
-from taiga.projects.choices import ArchivedCode
+from taiga.projects.choices import ArchivedCode, BLOCKED_BY_STAFF
 from taiga.projects.history import services
 from taiga.projects.history.models import HistoryEntry
 from taiga.projects.history.choices import HistoryType
@@ -249,6 +249,23 @@ def test_delete_comment_is_project_archived(client):
     response = client.post(url, content_type="application/json")
     assert 403 == response.status_code, response.status_code
 
+def test_delete_comment_is_project_blocked(client):
+    project = f.create_project(blocked_code=BLOCKED_BY_STAFF)
+    us = f.create_userstory(project=project)
+    f.MembershipFactory.create(project=project, user=project.owner, is_admin=True)
+    key = make_key_from_model_object(us)
+    history_entry = f.HistoryEntryFactory.create(type=HistoryType.change,
+                                                 project=project,
+                                                 comment="testing",
+                                                 key=key,
+                                                 diff={},
+                                                 user={"pk": project.owner.id})
+
+    client.login(project.owner)
+    url = reverse("userstory-history-delete-comment", args=(us.id,))
+    url = "%s?id=%s" % (url, history_entry.id)
+    response = client.post(url, content_type="application/json")
+    assert 451 == response.status_code, response.status_code
 
 def test_edit_comment(client):
     project = f.create_project()
@@ -282,6 +299,29 @@ def test_edit_comment(client):
     assert history_entry.edit_comment_date != None
     assert history_entry.comment_versions[0]["user"]["id"] == project.owner.id
 
+def test_edit_comment_with_project_blocked(client):
+    project = f.create_project(blocked_code=BLOCKED_BY_STAFF)
+    us = f.create_userstory(project=project)
+    f.MembershipFactory.create(project=project, user=project.owner, is_admin=True)
+    key = make_key_from_model_object(us)
+    history_entry = f.HistoryEntryFactory.create(type=HistoryType.change,
+                                                 project=project,
+                                                 comment="testing",
+                                                 key=key,
+                                                 diff={},
+                                                 user={"pk": project.owner.id})
+
+    history_entry_created_at = history_entry.created_at
+    assert history_entry.comment_versions == None
+    assert history_entry.edit_comment_date == None
+
+    client.login(project.owner)
+    url = reverse("userstory-history-edit-comment", args=(us.id,))
+    url = "%s?id=%s" % (url, history_entry.id)
+
+    data = json.dumps({"comment": "testing update comment"})
+    response = client.post(url, data, content_type="application/json")
+    assert 451 == response.status_code, response.status_code
 
 def test_get_comment_versions(client):
     project = f.create_project()
