Merge pull request opf#18409 from opf/implementation/60988-define-mention-criterion-for-work-package-comments-with-restricted-visibility

Define user @mention criterion for work package comments with restricted visibility

Author: akabiru

app/components/work_packages/activities_tab/index_component.rb

@@ -80,7 +80,8 @@ def add_comment_wrapper_data_attributes
           action: index_stimulus_controller(":onSubmit-end@window->#{restricted_comment_stimulus_controller}#onSubmitEnd"),
           restricted_comment_stimulus_controller("-highlight-class") => "work-packages-activities-tab-journals-new-component--journal-notes-body__restricted-comment", # rubocop:disable Layout/LineLength
           restricted_comment_stimulus_controller("-hidden-class") => "d-none",
-          restricted_comment_stimulus_controller("-#{index_stimulus_controller}-outlet") => "##{wrapper_key}"
+          restricted_comment_stimulus_controller("-#{index_stimulus_controller}-outlet") => "##{wrapper_key}",
+          restricted_comment_stimulus_controller("-is-restricted-value") => false # Initial value
         }
       end
 

app/components/work_packages/activities_tab/journals/item_component/edit.html.erb

@@ -1,5 +1,5 @@
 <%=
-  component_wrapper(class: "work-packages-activities-tab-journals-item-component-edit") do
+  component_wrapper(class: "work-packages-activities-tab-journals-item-component-edit", data: wrapper_data_attributes) do
     render(Primer::Box.new(my: 3)) do
       primer_form_with(
         id: "work-package-journal-form-element", # required for specs

app/components/work_packages/activities_tab/journals/item_component/edit.rb

@@ -33,6 +33,7 @@ class ItemComponent::Edit < ApplicationComponent
         include ApplicationHelper
         include OpPrimer::ComponentHelpers
         include OpTurbo::Streamable
+        include WorkPackages::ActivitiesTab::StimulusControllers
 
         def initialize(journal:, filter:)
           super
@@ -49,6 +50,12 @@ def initialize(journal:, filter:)
         def wrapper_uniq_by
           journal.id
         end
+
+        def wrapper_data_attributes
+          {
+            restricted_comment_stimulus_controller("-is-restricted-value") => journal.restricted?
+          }
+        end
       end
     end
   end

app/controllers/work_packages/activities_tab_controller.rb

@@ -139,6 +139,13 @@ def update
     respond_with_turbo_streams
   end
 
+  def sanitize_restricted_mentions
+    render plain: sanitized_journal_notes
+  rescue StandardError => e
+    handle_internal_server_error(e)
+    respond_with_turbo_streams
+  end
+
   def toggle_reaction # rubocop:disable Metrics/AbcSize
     emoji_reaction_service =
       if @journal.emoji_reactions.exists?(user: User.current, reaction: params[:reaction])
@@ -221,6 +228,10 @@ def journal_sorting
     User.current.preference&.comments_sorting || OpenProject::Configuration.default_comment_sort_order
   end
 
+  def sanitized_journal_notes
+    WorkPackages::ActivitiesTab::RestrictedMentionsSanitizer.sanitize(@work_package, journal_params[:notes])
+  end
+
   def journal_params
     params.expect(journal: %i[notes restricted])
   end
@@ -295,22 +306,24 @@ def update_index_component
   end
 
   def create_journal_service_call
+    restricted = to_boolean(journal_params[:restricted], false)
+    notes = restricted ? sanitized_journal_notes : journal_params[:notes]
+
     AddWorkPackageNoteService
       .new(user: User.current,
            work_package: @work_package)
-      .call(journal_params[:notes],
+      .call(notes,
             send_notifications: to_boolean(params[:notify], true),
-            restricted: to_boolean(journal_params[:restricted], false))
+            restricted:)
   end
 
   def to_boolean(value, default)
     ActiveRecord::Type::Boolean.new.cast(value.presence || default)
   end
 
   def update_journal_service_call
-    Journals::UpdateService.new(model: @journal, user: User.current).call(
-      notes: journal_params[:notes]
-    )
+    notes = @journal.restricted? ? sanitized_journal_notes : journal_params[:notes]
+    Journals::UpdateService.new(model: @journal, user: User.current).call(notes:)
   end
 
   def generate_time_based_update_streams(last_update_timestamp)

app/forms/work_packages/activities_tab/journals/restricted_note_form.rb

@@ -36,7 +36,7 @@ class RestrictedNoteForm < ApplicationForm
         checked: false,
         data: {
           "work-packages--activities-tab--restricted-comment-target": "restrictedCheckbox",
-          action: "input->work-packages--activities-tab--restricted-comment#toggleBackgroundColor"
+          action: "input->work-packages--activities-tab--restricted-comment#toggleRestriction"
         }
       )
     end

app/models/queries/principals.rb

@@ -32,6 +32,7 @@ module Queries::Principals
     filter Filters::TypeFilter
     filter Filters::MemberFilter
     filter Filters::MentionableOnWorkPackageFilter
+    filter Filters::RestrictedMentionableOnWorkPackageFilter
     filter Filters::StatusFilter
     filter Filters::NameFilter
     filter Filters::AnyNameAttributeFilter

app/models/queries/principals/filters/mentionable_on_work_package_filter.rb

@@ -47,7 +47,7 @@ def key
   end
 
   def human_name
-    "mentionable" # intenral use
+    "mentionable" # Only for Internal use, not visible in the UI
   end
 
   def apply_to(query_scope)

app/models/queries/principals/filters/restricted_mentionable_on_work_package_filter.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+# -- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+# ++
+
+class Queries::Principals::Filters::RestrictedMentionableOnWorkPackageFilter <
+    Queries::Principals::Filters::PrincipalFilter
+  validate :values_are_a_single_work_package_id
+
+  def allowed_values
+    raise NotImplementedError, "There would be too many candidates"
+  end
+
+  def allowed_values_subset
+    @allowed_values_subset ||= ::WorkPackage.visible
+  end
+
+  def type
+    :list_optional
+  end
+
+  def key
+    :restricted_mentionable_on_work_package
+  end
+
+  def human_name
+    "restricted mentionable" # Only for Internal use, not visible in the UI
+  end
+
+  def apply_to(query_scope)
+    case operator
+    when "="
+      query_scope.where(id: project_members.select(:user_id))
+    when "!"
+      query_scope.where.not(id: project_members.select(:user_id))
+    end
+  end
+
+  def permission
+    :view_comments_with_restricted_visibility
+  end
+
+  private
+
+  def type_strategy
+    @type_strategy ||= Queries::Filters::Strategies::HugeList.new(self)
+  end
+
+  def values_are_a_single_work_package_id
+    errors.add(:values, :single_value_requirement) if values.size > 1
+  end
+
+  def project_members
+    Member.of_project(work_package.project)
+          .joins(roles: :role_permissions)
+          .where(role_permissions: { permission: })
+  end
+
+  def work_package
+    WorkPackage.find(values.first)
+  end
+end

app/services/work_packages/activities_tab/restricted_mentions_sanitizer.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+#-- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+#++
+
+class WorkPackages::ActivitiesTab::RestrictedMentionsSanitizer
+  def self.sanitize(work_package, notes)
+    new(work_package, notes).call
+  end
+
+  def initialize(work_package, notes)
+    @work_package = work_package
+    @notes = notes
+  end
+
+  def call
+    return "" if notes.blank?
+
+    convert_unmentionable_principals_to_plain_text
+    CGI.unescapeHTML(parser.to_html)
+  end
+
+  private
+
+  attr_reader :work_package, :notes
+
+  def convert_unmentionable_principals_to_plain_text
+    mentionable_principals_ids = mentionable_principals.pluck(:id)
+
+    parser.css("mention").each do |mention|
+      unless mentionable_principals_ids.include?(mention["data-id"].to_i)
+        mention.replace(mention.content)
+      end
+    end
+  end
+
+  def parser
+    @parser ||= Nokogiri::HTML.fragment(notes)
+  end
+
+  def mentionable_principals
+    @mentionable_principals ||= Queries::Principals::PrincipalQuery.new(user: User.current)
+      .where(:restricted_mentionable_on_work_package, "=", [work_package.id])
+      .where(:status, "!", [Principal.statuses[:locked]])
+      .where(:type, "=", %w[User Group])
+      .results
+  end
+end

config/initializers/permissions.rb

@@ -289,7 +289,7 @@
                        # FIXME: Although the endpoint is removed, the code checking whether a user
                        # is eligible to add work packages through the API still seems to rely on this.
                        journals: [:new],
-                       "work_packages/activities_tab": %i[create toggle_reaction]
+                       "work_packages/activities_tab": %i[create toggle_reaction sanitize_restricted_mentions]
                      },
                      permissible_on: %i[work_package project],
                      dependencies: :view_work_packages

config/locales/en.yml

@@ -1386,6 +1386,10 @@ en:
             values:
               inclusion: "filter has invalid values."
               format: "%{message}"
+        queries/principals/filters/restricted_mentionable_on_work_package_filter:
+          attributes:
+            values:
+              single_value_requirement: "must be a single work package"
         relation:
           typed_dag:
             circular_dependency: "The relationship creates a circle of relationships."

config/routes.rb

@@ -646,10 +646,12 @@
         get :cancel_edit
         put :toggle_reaction
       end
+
       collection do
         get :update_streams
         get :update_filter # filter not persisted
         put :update_sorting # sorting is persisted
+        post :sanitize_restricted_mentions
       end
     end
 

frontend/src/app/core/path-helper/apiv3-paths.ts

@@ -47,7 +47,11 @@ export class ApiV3Paths {
       filters.add('member', '=', [(workPackage.project as HalResource).id as string]);
     } else {
       // that are mentionable on the work package
-      filters.add('mentionable_on_work_package', '=', [workPackage.id.toString()]);
+      filters.add(
+        (this.isRestrictedMentionable() ? 'restricted_mentionable_on_work_package' : 'mentionable_on_work_package'),
+        '=',
+        [workPackage.id.toString()],
+      );
     }
     // That are users:
     filters.add('type', '=', ['User', 'Group']);
@@ -57,8 +61,20 @@ export class ApiV3Paths {
       filters.add('name', '~', [term]);
     }
 
-    return `${this.apiV3Base
-    }/principals?${
-      filters.toParams({ sortBy: '[["name","asc"]]', offset: '1', pageSize: '10' })}`;
+    return `${this.apiV3Base}/principals?${filters.toParams({ sortBy: '[["name","asc"]]', offset: '1', pageSize: '10' })}`;
+  }
+
+  /**
+   * Check if either adding or editing a comment is restricted, and thus
+   * the mentionable principals are to be restricted
+   *
+   * @returns {boolean}
+   */
+  private isRestrictedMentionable():boolean {
+    const isRestrictedAttributeValue = 'data-work-packages--activities-tab--restricted-comment-is-restricted-value';
+    const addingCommentIsRestricted = document.getElementById('work-packages-activities-tab-add-comment-component')?.getAttribute(isRestrictedAttributeValue) === 'true';
+    const editingCommentIsRestricted = document.querySelector('.work-packages-activities-tab-journals-item-component-edit')?.getAttribute(isRestrictedAttributeValue) === 'true';
+
+    return addingCommentIsRestricted || editingCommentIsRestricted;
   }
 }

frontend/src/stimulus/controllers/dynamic/work-packages/activities-tab/quote-comment.controller.ts

@@ -83,7 +83,7 @@ export default class QuoteCommentController extends Controller {
   private setCommentRestriction(isRestricted:boolean) {
     if (isRestricted && !this.workPackagesActivitiesTabRestrictedCommentOutlet.restrictedCheckboxTarget.checked) {
       this.workPackagesActivitiesTabRestrictedCommentOutlet.restrictedCheckboxTarget.checked = isRestricted;
-      this.workPackagesActivitiesTabRestrictedCommentOutlet.toggleBackgroundColor();
+      this.workPackagesActivitiesTabRestrictedCommentOutlet.toggleRestriction();
     }
   }