feat: Allow users to report comments

Comments can be used to potentially harass users who request comments.
A button was added to report a message as spam.

Resolves #2715

Author: arkirchner

app/assets/javascripts/request_for_comments.js

@@ -116,6 +116,9 @@ $(document).on('turbo-migration:load', function () {
             <button class="action-edit btn btn-sm btn-warning">' + I18n.t('shared.edit') + '</button> \
             <button class="action-delete btn btn-sm btn-danger">' + I18n.t('shared.destroy') + '</button> \
           </div> \
+          <div class="text-warning' + (comment.reportable ? '' : ' d-none') + '"> \
+            <button class="action-report btn btn-light btn-sm">' + I18n.t('shared.report') + '</button> \
+          </div> \
         </div>';
         });
         return htmlContent;
@@ -166,6 +169,17 @@ $(document).on('turbo-migration:load', function () {
         })
     }
 
+    function reportComment(commentId, callback) {
+        const jqxhr = $.ajax({
+            type: 'POST',
+            url: Routes.report_comment_path(commentId)
+        });
+        jqxhr.done(function () {
+            callback();
+        });
+        jqxhr.fail(ajaxError);
+    }
+
     function deleteComment(commentId, editor, file_id, callback) {
         const jqxhr = $.ajax({
             type: 'DELETE',
@@ -313,6 +327,17 @@ $(document).on('turbo-migration:load', function () {
             const container = otherComments.find('.container');
             container.html(htmlContent);
 
+            const reportButtons = container.find('.action-report');
+            reportButtons.on('click', function (event) {
+                const button = $(event.target);
+                const parent = $(button).parent().parent();
+                const commentId = parent.data('comment-id');
+
+                reportComment(commentId, function () {
+                  parent.html('<div class="comment-reported">' + I18n.t('comments.reported') + '</div>');
+                });
+            });
+
             const deleteButtons = container.find('.action-delete');
             deleteButtons.on('click', function (event) {
                 const button = $(event.target);

app/controllers/comments_controller.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class CommentsController < ApplicationController
-  before_action :set_comment, only: %i[show update destroy]
+  before_action :set_comment, only: %i[show update destroy report]
 
   def authorize!
     authorize(@comment || @comments)
@@ -15,12 +15,6 @@ def index
     submission = Submission.find_by(id: file.context_id)
     if submission
       @comments = Comment.where(file_id: params[:file_id])
-      @comments.map do |comment|
-        comment.username = comment.user.displayname
-        comment.date = comment.created_at.strftime('%d.%m.%Y %k:%M')
-        comment.updated = (comment.created_at != comment.updated_at)
-        comment.editable = policy(comment).edit?
-      end
     else
       @comments = []
     end
@@ -67,6 +61,15 @@ def destroy
     head :no_content
   end
 
+  # POST /comments/1/report.json
+  def report
+    authorize!
+
+    ReportMailer.with(reported_content: @comment).report_content.deliver_later
+
+    head :no_content
+  end
+
   private
 
   # Use callbacks to share common setup or constraints between actions.

app/controllers/request_for_comments_controller.rb

@@ -168,7 +168,7 @@ def report
 
     ReportMailer.with(reported_content: @request_for_comment).report_content.deliver_later
 
-    redirect_to @request_for_comment, notice: t('.report.reported'), status: :see_other
+    redirect_to @request_for_comment, notice: t('.reported'), status: :see_other
   end
 
   private

app/mailers/report_mailer.rb

@@ -4,15 +4,8 @@ class ReportMailer < ApplicationMailer
   default to: CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails)
 
   def report_content
-    @reported_content = params.fetch(:reported_content)
-    study_group = @reported_content.submission.study_group
-    exercise = @reported_content.exercise
+    @spam_report = SpamReport.new(reported_content: params.fetch(:reported_content))
 
-    # NOTE: This implementation assumes the course URL is static and does not vary per user.
-    # This is currently valid for a majority of use cases. However, in dynamic scenarios (such as
-    # content trees in openHPI used in conjunction with A/B/n testing) this assumption may no longer hold true.
-    @course_url = LtiParameter.find_by(study_group:, exercise:)&.lti_parameters&.[]('launch_presentation_return_url')
-
-    mail(subject: I18n.t('report_mailer.report_content.subject', content_name: @reported_content.model_name.human))
+    mail(subject: I18n.t('report_mailer.report_content.subject', human_model_name: @spam_report.human_model_name))
   end
 end

app/models/comment.rb

@@ -5,8 +5,6 @@ class Comment < ApplicationRecord
   include Creation
   include ActionCableHelper
 
-  attr_accessor :username, :date, :updated, :editable
-
   belongs_to :file, class_name: 'CodeOcean::File'
   has_one :submission, through: :file, source: :context, source_type: 'Submission'
   has_one :request_for_comment, through: :submission

app/models/spam_report.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+class SpamReport
+  def initialize(reported_content:)
+    unless [Comment, RequestForComment].include?(reported_content.class)
+      raise("#{reported_content.model_name} is not configured for spam reports.")
+    end
+
+    @reported_content = reported_content
+  end
+
+  # NOTE: This implementation assumes the course URL is static and does not vary per user.
+  # This is currently valid for a majority of use cases. However, in dynamic scenarios (such as
+  # content trees in openHPI used in conjunction with A/B/n testing) this assumption may no
+  # longer hold true.
+  def course_url = lti_parameters['launch_presentation_return_url']
+
+  def human_model_name = reported_content.model_name.human
+
+  def reported_message
+    case reported_content
+      when RequestForComment
+        reported_content.question
+      when Comment
+        reported_content.text
+    end
+  end
+
+  def related_request_for_comment
+    case reported_content
+      when RequestForComment
+        reported_content
+      when Comment
+        RequestForComment.find_by!(file: reported_content.file)
+    end
+  end
+
+  private
+
+  attr_reader :reported_content
+
+  def lti_parameters = LtiParameter.find_by(study_group:, exercise:)&.lti_parameters || {}
+
+  def study_group
+    reported_content.submission.study_group
+  end
+
+  def exercise
+    related_request_for_comment.exercise
+  end
+end

app/policies/comment_policy.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class CommentPolicy < ApplicationPolicy
+  REPORT_RECEIVER_CONFIGURED = CodeOcean::Config.new(:code_ocean).read.dig(:content_moderation, :report_emails).present?
+
   def create?
     everyone
   end
@@ -16,4 +18,8 @@ def show?
   def index?
     everyone
   end
+
+  def report?
+    REPORT_RECEIVER_CONFIGURED && everyone && !author?
+  end
 end

app/views/comments/index.json.jbuilder

@@ -1,6 +1,11 @@
 # frozen_string_literal: true
 
 json.array!(@comments) do |comment|
-  json.extract! comment, :id, :user_id, :file_id, :row, :column, :text, :username, :date, :updated, :editable
+  json.extract! comment, :id, :user_id, :file_id, :row, :column, :text
+  json.username comment.user.displayname
+  json.date comment.created_at.strftime('%d.%m.%Y %k:%M')
+  json.updated(comment.created_at != comment.updated_at)
+  json.editable policy(comment).edit?
+  json.reportable policy(comment).report?
   json.url comment_url(comment, format: :json)
 end

app/views/report_mailer/report_content.html.slim

@@ -1,6 +1,6 @@
 h3 = t('.prolog')
-blockquote style="white-space: pre-wrap;" = @reported_content.question
+blockquote style="white-space: pre-wrap;" = @spam_report.reported_message
 p = t('.take_action')
-p = link_to(request_for_comment_url(@reported_content), request_for_comment_url(@reported_content))
-- if @course_url.present?
-  p = link_to(t('.authentication'), @course_url)
+p = link_to(request_for_comment_url(@spam_report.related_request_for_comment), request_for_comment_url(@spam_report.related_request_for_comment))
+- if @spam_report.course_url.present?
+  p = link_to(t('.authentication'), @spam_report.course_url)

app/views/report_mailer/report_content.text.slim

@@ -1,12 +1,12 @@
 == t('.prolog')
 == "\n\n"
-== @reported_content.question.lines.map { "> #{it}" }.join
+== @spam_report.reported_message.lines.map { "> #{it}" }.join
 == "\n\n"
 == t('.take_action')
 == "\n\n"
-== request_for_comment_url(@reported_content)
+== request_for_comment_url(@spam_report.related_request_for_comment)
 == "\n\n"
-- if @course_url.present?
+- if @spam_report.course_url.present?
   == t('.authentication')
   == "\n\n"
-  == @course_url
+  == @spam_report.course_url