Reviewer Tools Pastebin Re-implementation (#22640)

* Added pastebin reimplementation on reviewer tools side * make lint * Moved attachment upload box to own section (and available for all actions) * Fixed css for textareas, returned datetime-wrapper * Missing assignment * Updated naming for files, limited to .txt and .zip, temporarily updated query number assertion * added waffle enable-activity-log-attachments for user facing menus; * testing * corrected test * Removed zip allowance * migration conflict * test (temp) * import * remove git_extraction.py from pr * ??? * numQueries * review changes * lint * prettier * review changes * lol lint * review comment
2024-09-13 13:58:33 -04:00 · 2024-09-13 13:58:33 -04:00 · c6026f6d89
--- a/src/olympia/activity/api_urls.py
+++ b/src/olympia/activity/api_urls.py
@ -0,0 +1,8 @@
+from django.urls import re_path
+
+from . import views
+
+
+urlpatterns = [
+    re_path(r'^mail/', views.inbound_email, name='inbound-email-api'),
+]
--- a/src/olympia/activity/migrations/0026_alter_activitylog_action_attachmentlog.py
+++ b/src/olympia/activity/migrations/0026_alter_activitylog_action_attachmentlog.py
@ -0,0 +1,37 @@
+# Generated by Django 4.2.15 on 2024-09-04 15:46
+
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+import olympia.activity.models
+import olympia.amo.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('activity', '0025_alter_activitylog_action_cinderpolicylog'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='activitylog',
+            name='action',
+            field=models.SmallIntegerField(choices=[(1, 1), (2, 2), (3, 3), (4, 4), (5, 5), (6, 6), (7, 7), (8, 8), (9, 9), (12, 12), (16, 16), (17, 17), (18, 18), (19, 19), (20, 20), (21, 21), (22, 22), (23, 23), (24, 24), (25, 25), (26, 26), (27, 27), (28, 28), (29, 29), (31, 31), (32, 32), (33, 33), (34, 34), (35, 35), (36, 36), (37, 37), (38, 38), (39, 39), (40, 40), (41, 41), (42, 42), (43, 43), (44, 44), (45, 45), (46, 46), (47, 47), (48, 48), (49, 49), (53, 53), (60, 60), (61, 61), (62, 62), (98, 98), (99, 99), (100, 100), (101, 101), (102, 102), (103, 103), (104, 104), (105, 105), (106, 106), (107, 107), (108, 108), (109, 109), (110, 110), (120, 120), (121, 121), (128, 128), (130, 130), (131, 131), (132, 132), (133, 133), (134, 134), (135, 135), (136, 136), (137, 137), (138, 138), (139, 139), (140, 140), (141, 141), (142, 142), (143, 143), (144, 144), (145, 145), (146, 146), (147, 147), (148, 148), (149, 149), (150, 150), (151, 151), (152, 152), (153, 153), (154, 154), (155, 155), (156, 156), (157, 157), (158, 158), (159, 159), (160, 160), (161, 161), (162, 162), (163, 163), (164, 164), (165, 165), (166, 166), (167, 167), (168, 168), (169, 169), (170, 170), (171, 171), (172, 172), (173, 173), (174, 174), (175, 175), (176, 176), (177, 177), (178, 178), (179, 179), (180, 180), (181, 181), (182, 182), (183, 183), (184, 184), (185, 185), (186, 186), (187, 187), (188, 188), (189, 189), (190, 190), (191, 191), (192, 192)]),
+        ),
+        migrations.CreateModel(
+            name='AttachmentLog',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('created', models.DateTimeField(blank=True, default=django.utils.timezone.now, editable=False)),
+                ('modified', models.DateTimeField(auto_now=True)),
+                ('file', models.FileField(blank=True, null=True, storage=olympia.activity.models.activity_attachment_storage, upload_to=olympia.activity.models.attachment_upload_path)),
+                ('activity_log', models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to='activity.activitylog')),
+            ],
+            options={
+                'db_table': 'log_activity_attachment',
+                'ordering': ('-created',),
+            },
+            bases=(olympia.amo.models.SaveUpdateMixin, models.Model),
+        ),
+    ]
--- a/src/olympia/activity/models.py
+++ b/src/olympia/activity/models.py
@ -1,7 +1,9 @@
 import json
+import os
 import uuid
 from collections import defaultdict
 from copy import copy
+from datetime import datetime
 from inspect import isclass

 from django.apps import apps
@ -20,6 +22,7 @@ from olympia.access.models import Group
 from olympia.addons.models import Addon
 from olympia.amo.fields import IPAddressBinaryField, PositiveAutoField
 from olympia.amo.models import BaseQuerySet, LongNameIndex, ManagerBase, ModelBase
+from olympia.amo.utils import SafeStorage, id_to_path
 from olympia.bandwagon.models import Collection
 from olympia.blocklist.models import Block
 from olympia.constants.activity import _LOG
@ -39,6 +42,20 @@ MAX_TOKEN_USE_COUNT = 100
 GENERIC_USER_NAME = gettext('Add-ons Review Team')


+def attachment_upload_path(instance, filename):
+    ext = os.path.splitext(filename)[1]
+    timestamp = datetime.now().replace(microsecond=0)
+    return os.path.join(
+        'activity_attachment',
+        id_to_path(instance.activity_log.pk, breadth=1),
+        f'{timestamp}{ext}',
+    )
+
+
+def activity_attachment_storage():
+    return SafeStorage(root_setting='MEDIA_ROOT')
+
+
 class GenericMozillaUser(UserProfile):
    class Meta:
        proxy = True
@ -262,6 +279,24 @@ class RatingLog(ModelBase):
        ordering = ('-created',)


+class AttachmentLog(ModelBase):
+    """
+    This table is for indexing the activity log by attachment.
+    """
+
+    activity_log = models.OneToOneField('ActivityLog', on_delete=models.CASCADE)
+    file = models.FileField(
+        upload_to=attachment_upload_path,
+        storage=activity_attachment_storage,
+        blank=True,
+        null=True,
+    )
+
+    class Meta:
+        db_table = 'log_activity_attachment'
+        ordering = ('-created',)
+
+
 class DraftComment(ModelBase):
    """A model that allows us to draft comments for reviews before we have
    an ActivityLog instance ready.
--- a/src/olympia/activity/tests/test_models.py
+++ b/src/olympia/activity/tests/test_models.py
@ -2,6 +2,8 @@ from ipaddress import IPv4Address
 from unittest.mock import Mock
 from uuid import UUID

+from django.core.files.base import ContentFile
+
 from pyquery import PyQuery as pq

 from olympia import amo, core
@ -11,10 +13,12 @@ from olympia.activity.models import (
    ActivityLog,
    ActivityLogToken,
    AddonLog,
+    AttachmentLog,
    DraftComment,
    GenericMozillaUser,
    IPLog,
    ReviewActionReasonLog,
+    attachment_upload_path,
 )
 from olympia.addons.models import Addon, AddonUser
 from olympia.amo.tests import (
@ -507,6 +511,13 @@ class TestActivityLog(TestCase):
            ActivityLog.objects.create(action=amo.LOG.ADD_TAG.id).log == amo.LOG.ADD_TAG
        )

+    def test_attachment_upload_path(self):
+        log = ActivityLog.objects.create(amo.LOG.CUSTOM_TEXT, 'Test Attachment Log')
+        attachment = ContentFile('Pseudo File', name='attachment.txt')
+        attachment_log = AttachmentLog.objects.create(activity_log=log, file=attachment)
+        uploaded_name = attachment_upload_path(attachment_log, attachment.name)
+        assert uploaded_name.endswith('.txt')
+

 class TestDraftComment(TestCase):
    def test_default_requirements(self):
--- a/src/olympia/activity/tests/test_views.py
+++ b/src/olympia/activity/tests/test_views.py
@ -4,13 +4,19 @@ from datetime import datetime, timedelta
 from unittest import mock

 from django.conf import settings
+from django.core.files.base import ContentFile
 from django.test.utils import override_settings

 from rest_framework.exceptions import ErrorDetail
 from rest_framework.test import APIRequestFactory

 from olympia import amo
-from olympia.activity.models import GENERIC_USER_NAME, ActivityLog, ActivityLogToken
+from olympia.activity.models import (
+    GENERIC_USER_NAME,
+    ActivityLog,
+    ActivityLogToken,
+    AttachmentLog,
+)
 from olympia.activity.tests.test_serializers import LogMixin
 from olympia.activity.tests.test_utils import sample_message_content
 from olympia.activity.views import InboundEmailIPPermission, inbound_email
@ -20,6 +26,7 @@ from olympia.addons.models import (
    AddonUser,
 )
 from olympia.addons.utils import generate_addon_guid
+from olympia.amo.reverse import reverse
 from olympia.amo.tests import (
    APITestClientSessionID,
    TestCase,
@ -660,3 +667,33 @@ class TestEmailApi(TestCase):
        res = inbound_email(req)
        assert not _mock.called
        assert res.status_code == 403
+
+
+class TestDownloadAttachment(TestCase):
+    def setUp(self):
+        super().setUp()
+        self.addon = addon_factory(
+            guid=generate_addon_guid(), name='My Addôn', slug='my-addon'
+        )
+        self.user = user_factory(email='admin@mozilla.com')
+        self.log = ActivityLog.objects.create(
+            user=self.user, action=amo.LOG.REVIEWER_REPLY_VERSION
+        )
+        self.attachment = AttachmentLog.objects.create(
+            activity_log=self.log,
+            file=ContentFile('Pseudo File', name='attachment.txt'),
+        )
+
+    def test_download_attachment_success(self):
+        self.client.force_login(self.user)
+        self.grant_permission(self.user, 'Addons:Review', 'Addon Reviewers')
+        url = reverse('activity.attachment', args=[self.log.pk])
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('.txt', response['Content-Disposition'])
+
+    def test_download_attachment_failure(self):
+        self.client.force_login(self.user)
+        url = reverse('activity.attachment', args=[self.log.pk])
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 404)
--- a/src/olympia/activity/urls.py
+++ b/src/olympia/activity/urls.py
@ -4,5 +4,9 @@ from . import views


 urlpatterns = [
-    re_path(r'^mail/', views.inbound_email, name='inbound-email-api'),
+    re_path(
+        r'^attachment/(?P<log_id>\d+)',
+        views.download_attachment,
+        name='activity.attachment',
+    )
 ]
--- a/src/olympia/activity/views.py
+++ b/src/olympia/activity/views.py
@ -1,4 +1,8 @@
+import os
+
+from django import http
 from django.conf import settings
+from django.db.transaction import non_atomic_requests
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext, gettext_lazy as _

@ -27,6 +31,7 @@ from olympia.activity.utils import (
    log_and_notify,
 )
 from olympia.addons.views import AddonChildMixin
+from olympia.amo.utils import HttpResponseXSendFile
 from olympia.api.permissions import (
    AllowAddonAuthor,
    AllowListedViewerOrReviewer,
@ -166,3 +171,26 @@ def inbound_email(request):
    spam_rating = request.data.get('SpamScore', 0.0)
    process_email.apply_async((message, spam_rating))
    return Response(data=validation_response, status=status.HTTP_201_CREATED)
+
+
+@non_atomic_requests
+def download_attachment(request, log_id):
+    """
+    Download attachment for a given activity log.
+    """
+    log = get_object_or_404(ActivityLog, pk=log_id)
+    attachmentlog = log.attachmentlog
+
+    is_reviewer = acl.action_allowed_for(request.user, amo.permissions.ADDONS_REVIEW)
+    if not is_reviewer:
+        raise http.Http404()
+
+    response = HttpResponseXSendFile(request, attachmentlog.file.path)
+    path = attachmentlog.file.path
+    if not isinstance(path, str):
+        path = path.decode('utf8')
+    name = os.path.basename(path.replace('"', ''))
+    disposition = f'attachment; filename="{name}"'.encode()
+    response['Content-Disposition'] = disposition
+    response['Access-Control-Allow-Origin'] = '*'
+    return response
--- a/src/olympia/api/urls.py
+++ b/src/olympia/api/urls.py
@ -59,13 +59,13 @@ v3_api_urls = [
    re_path(r'^reviews/', include(ratings_v3.urls)),
    re_path(r'^reviewers/', include('olympia.reviewers.api_urls')),
    re_path(r'^', include('olympia.signing.urls')),
-    re_path(r'^activity/', include('olympia.activity.urls')),
+    re_path(r'^activity/', include('olympia.activity.api_urls')),
 ]

 v4_api_urls = [
    re_path(r'^abuse/', include('olympia.abuse.api_urls')),
    re_path(r'^accounts/', include(accounts_v4)),
-    re_path(r'^activity/', include('olympia.activity.urls')),
+    re_path(r'^activity/', include('olympia.activity.api_urls')),
    re_path(r'^addons/', include(addons_v4)),
    re_path(r'^applications/', include('olympia.applications.api_urls')),
    re_path(r'^blocklist/', include('olympia.blocklist.urls')),
@ -81,7 +81,7 @@ v4_api_urls = [
 v5_api_urls = [
    re_path(r'^abuse/', include('olympia.abuse.api_urls')),
    re_path(r'^accounts/', include(accounts_v4)),
-    re_path(r'^activity/', include('olympia.activity.urls')),
+    re_path(r'^activity/', include('olympia.activity.api_urls')),
    re_path(r'^addons/', include(addons_v5)),
    re_path(r'^applications/', include('olympia.applications.api_urls')),
    re_path(r'^blocklist/', include('olympia.blocklist.urls')),
--- a/src/olympia/lib/settings_base.py
+++ b/src/olympia/lib/settings_base.py
@ -264,6 +264,7 @@ SUPPORTED_NONAPPS = (
    'abuse',
    'admin',
    'apps',
+    'activity',
    'contribute.json',
    'developer_agreement',
    'developers',
@ -289,6 +290,7 @@ DEFAULT_APP = 'firefox'
 # This needs to be kept in sync with addons-frontend's validLocaleUrlExceptions
 # https://github.com/mozilla/addons-frontend/blob/master/config/default-amo.js
 SUPPORTED_NONLOCALES = (
+    'activity',
    'contribute.json',
    'google1f3e37b7351799a5.html',
    'google231a41e803e464e9.html',
--- a/src/olympia/reviewers/forms.py
+++ b/src/olympia/reviewers/forms.py
@ -10,6 +10,7 @@ from django.forms.models import (
    modelformset_factory,
 )
 from django.utils.html import format_html, format_html_join
+from django.utils.translation import gettext

 import markupsafe

@ -41,6 +42,8 @@ ACTION_FILTERS = (

 ACTION_DICT = dict(approved=amo.LOG.APPROVE_RATING, deleted=amo.LOG.DELETE_RATING)

+VALID_ATTACHMENT_EXTENSIONS = ('.txt',)
+

 class RatingModerationLogForm(forms.Form):
    start = forms.DateField(required=False, label='View entries between')
@ -299,6 +302,19 @@ class ActionChoiceWidget(forms.RadioSelect):
        return option


+def validate_review_attachment(value):
+    if value:
+        if not value.name.endswith(VALID_ATTACHMENT_EXTENSIONS):
+            valid_extensions_string = '(%s)' % ', '.join(VALID_ATTACHMENT_EXTENSIONS)
+            raise forms.ValidationError(
+                gettext(
+                    'Unsupported file type, please upload a '
+                    'file {extensions}.'.format(extensions=valid_extensions_string)
+                )
+            )
+    return value
+
+
 class ReviewForm(forms.Form):
    # Hack to restore behavior from pre Django 1.10 times.
    # Django 1.10 enabled `required` rendering for required widgets. That
@ -363,6 +379,11 @@ class ReviewForm(forms.Form):
        required=True,
        widget=ReasonsChoiceWidget,
    )
+    attachment_file = forms.FileField(
+        required=False, validators=[validate_review_attachment]
+    )
+    attachment_input = forms.CharField(required=False, widget=forms.Textarea())
+
    version_pk = forms.IntegerField(required=False, min_value=1)
    cinder_jobs_to_resolve = WidgetRenderedModelMultipleChoiceField(
        label='Outstanding DSA related reports to resolve:',
@ -413,6 +434,10 @@ class ReviewForm(forms.Form):
        # If the user select a different type of job before changing actions there could
        # be non-appeal jobs selected as cinder_jobs_to_resolve under resolve_appeal_job
        # action, or appeal jobs under resolve_reports_job action. So filter them out.
+        if self.cleaned_data.get('attachment_input') and self.cleaned_data.get(
+            'attachment_file'
+        ):
+            raise ValidationError('Cannot upload both a file and input.')
        if self.cleaned_data.get('action') == 'resolve_appeal_job':
            self.cleaned_data['cinder_jobs_to_resolve'] = [
                job
--- a/src/olympia/reviewers/migrations/0038_auto_20240909_1647.py
+++ b/src/olympia/reviewers/migrations/0038_auto_20240909_1647.py
@ -0,0 +1,16 @@
+# Generated by Django 4.2.15 on 2024-09-09 16:47
+
+from django.db import migrations
+
+from olympia.core.db.migrations import CreateWaffleSwitch
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('reviewers', '0037_autoapprovalsummary_is_pending_rejection'),
+    ]
+
+    operations = [
+        CreateWaffleSwitch('enable-activity-log-attachments')
+    ]
--- a/src/olympia/reviewers/templates/reviewers/includes/history.html
+++ b/src/olympia/reviewers/templates/reviewers/includes/history.html
@ -14,4 +14,15 @@
      {% endif %}
    {% endif %}
  </td>
+  {% if switch_is_active('enable-activity-log-attachments') %}
+    <td>
+      {% if record.attachmentlog %}
+        {% with attachment=record.attachmentlog.file %}
+        <div>
+          <a class="download-reply-attachment" href="{{ url('activity.attachment', record.pk) }}" download>Download Attachment</a> ({{attachment.size|filesizeformat}})
+        </div>
+        {% endwith %}
+      {% endif %}
+    </td>
+  {% endif %}
 </tr>
--- a/src/olympia/reviewers/templates/reviewers/review.html
+++ b/src/olympia/reviewers/templates/reviewers/review.html
@ -102,7 +102,7 @@
 </form>
 {% endif %}

-<form method="POST" action="#review-actions" class="review-form">
+<form method="POST" enctype="multipart/form-data" action="#review-actions" class="review-form">
  {% csrf_token %}

  <input type="hidden" name="version_pk" value="{{ version.pk }}"/>
@ -261,6 +261,23 @@
          </div>
        </div>
      </div>
+      {% if switch_is_active('enable-activity-log-attachments') %}
+        <div class="review-actions-section review-actions-attachment-reply">
+          <label>Attachment:</label>
+          <div id="attachment-type-toggle">
+            <button type="button" id="toggle_attachment_file">Upload</button>
+            or <a id="toggle_attachment_input">Paste from Clipboard</a>
+          </div>
+          <div id="attachment_input_wrapper" class="hidden">
+            {{ form.attachment_input }}
+          </div>
+          <div id="attachment_file_wrapper" class="hidden">
+              {{ form.attachment_file }}
+          </div>
+          {{ form.attachment_input.errors }}
+          {{ form.attachment_file.errors }}
+        </div>
+      {% endif %}
      <div class="review-actions-section review-actions-save">
        <span class="currently_viewing_warning">
          {% trans %}
--- a/src/olympia/reviewers/tests/test_forms.py
+++ b/src/olympia/reviewers/tests/test_forms.py
@ -1,6 +1,7 @@
 import uuid
 from datetime import datetime

+from django.core.files.base import ContentFile
 from django.utils.encoding import force_str

 from pyquery import PyQuery as pq
@ -48,9 +49,10 @@ class TestReviewForm(TestCase):
        self.request = FakeRequest()
        self.file = self.version.file

-    def get_form(self, data=None):
+    def get_form(self, data=None, files=None):
        return ReviewForm(
            data=data,
+            files=files,
            helper=ReviewHelper(
                addon=self.addon, version=self.version, user=self.request.user
            ),
@ -1134,3 +1136,25 @@ class TestReviewForm(TestCase):
            # only policies that are expose_in_reviewer_tools=True should be included
            policy_exposed
        ]
+
+    def test_upload_attachment(self):
+        self.grant_permission(self.request.user, 'Addons:Review')
+        attachment = ContentFile('Pseudo File', name='attachment.txt')
+        data = {
+            'action': 'reply',
+            'comments': 'lol',
+        }
+        files = {'attachment_file': attachment}
+
+        form = self.get_form(data=data, files=files)
+        assert form.is_valid()
+        assert not form.errors
+
+        data['attachment_input'] = 'whee'
+        form = self.get_form(data=data)
+        assert form.is_valid()
+        assert not form.errors
+
+        form = self.get_form(data=data, files=files)
+        assert not form.is_valid()
+        assert form.errors == {'__all__': ['Cannot upload both a file and input.']}
--- a/src/olympia/reviewers/tests/test_utils.py
+++ b/src/olympia/reviewers/tests/test_utils.py
@ -5,6 +5,7 @@ from unittest.mock import call, patch

 from django.conf import settings
 from django.core import mail
+from django.core.files.base import ContentFile
 from django.core.files.storage import default_storage as storage
 from django.test.utils import override_settings
 from django.urls import reverse
@ -17,6 +18,7 @@ from olympia.abuse.models import AbuseReport, CinderDecision, CinderJob, CinderP
 from olympia.activity.models import (
    ActivityLog,
    ActivityLogToken,
+    AttachmentLog,
    CinderPolicyLog,
    ReviewActionReasonLog,
 )
@ -1162,6 +1164,30 @@ class TestReviewHelper(TestReviewHelperBase):
        assert logs.count() == 1
        assert logs[0].user == task_user

+    def test_log_action_attachment_input(self):
+        assert AttachmentLog.objects.count() == 0
+        data = self.get_data()
+        text = 'This is input'
+        data['attachment_input'] = 'This is input'
+        self.helper.set_data(data)
+        self.helper.handler.log_action(amo.LOG.REJECT_VERSION)
+        assert AttachmentLog.objects.count() == 1
+        attachment_log = AttachmentLog.objects.first()
+        file_content = attachment_log.file.read().decode('utf-8')
+        assert file_content == text
+
+    def test_log_action_attachment_file(self):
+        assert AttachmentLog.objects.count() == 0
+        text = "I'm a text file"
+        data = self.get_data()
+        data['attachment_file'] = ContentFile(text, name='attachment.txt')
+        self.helper.set_data(data)
+        self.helper.handler.log_action(amo.LOG.REJECT_VERSION)
+        assert AttachmentLog.objects.count() == 1
+        attachment_log = AttachmentLog.objects.first()
+        file_content = attachment_log.file.read().decode('utf-8')
+        assert file_content == text
+
    @patch('olympia.reviewers.utils.notify_addon_decision_to_cinder.delay')
    @patch('olympia.reviewers.utils.resolve_job_in_cinder.delay')
    def test_notify_decision_calls_resolve_job_in_cinder(
--- a/src/olympia/reviewers/tests/test_views.py
+++ b/src/olympia/reviewers/tests/test_views.py
@ -10,7 +10,7 @@ from django.conf import settings
 from django.core import mail
 from django.core.cache import cache
 from django.core.files import temp
-from django.core.files.base import File as DjangoFile
+from django.core.files.base import ContentFile, File as DjangoFile
 from django.db import connection, reset_queries
 from django.template import defaultfilters
 from django.test.client import RequestFactory
@ -30,7 +30,7 @@ from olympia.abuse.models import AbuseReport, CinderDecision, CinderJob, CinderP
 from olympia.access import acl
 from olympia.access.models import Group, GroupUser
 from olympia.accounts.serializers import BaseUserSerializer
-from olympia.activity.models import ActivityLog, DraftComment
+from olympia.activity.models import ActivityLog, AttachmentLog, DraftComment
 from olympia.addons.models import (
    UPCOMING_DUE_DATE_CUT_OFF_DAYS_CONFIG_DEFAULT,
    Addon,
@ -2611,6 +2611,65 @@ class TestReview(ReviewBase):
        assert len(mail.outbox) == 1
        self.assertTemplateUsed(response, 'activity/emails/from_reviewer.txt')

+    def test_attachment_input(self):
+        self.client.post(
+            self.url,
+            {'action': 'reply', 'comments': 'hello sailor'},
+        )
+        # A regular reply does not create an AttachmentLog.
+        assert AttachmentLog.objects.count() == 0
+        text = 'babys first build log'
+        response = self.client.post(
+            self.url,
+            {
+                'action': 'reply',
+                'comments': 'hello sailor',
+                'attachment_input': text,
+            },
+        )
+        assert response.status_code == 302
+        assert AttachmentLog.objects.count() == 1
+        attachment_log = AttachmentLog.objects.first()
+        file_content = attachment_log.file.read().decode('utf-8')
+        assert file_content == text
+
+    def test_attachment_valid_upload(self):
+        assert AttachmentLog.objects.count() == 0
+        text = "I'm a text file"
+        attachment = ContentFile(text, name='attachment.txt')
+        response = self.client.post(
+            self.url,
+            {
+                'action': 'reply',
+                'comments': 'hello sailor',
+                'attachment_file': attachment,
+            },
+        )
+        assert response.status_code == 302
+        assert AttachmentLog.objects.count() == 1
+        attachment_log = AttachmentLog.objects.first()
+        file_content = attachment_log.file.read().decode('utf-8')
+        assert file_content == text
+
+    @override_switch('enable-activity-log-attachments', active=True)
+    def test_attachment_invalid_upload(self):
+        assert AttachmentLog.objects.count() == 0
+        attachment = ContentFile("I'm not a text file", name='attachment.png')
+        response = self.client.post(
+            self.url,
+            {
+                'action': 'reply',
+                'comments': 'hello sailor',
+                'attachment_file': attachment,
+            },
+        )
+        assert response.status_code != 302
+        assert AttachmentLog.objects.count() == 0
+        self.assertIn(
+            'Unsupported file type, please upload a file (.txt)',
+            response.content.decode('utf-8'),
+        )
+
    def test_page_title(self):
        response = self.client.get(self.url)
        assert response.status_code == 200
@ -2704,7 +2763,7 @@ class TestReview(ReviewBase):
            str(author.get_role_display()),
            self.addon,
        )
-        with self.assertNumQueries(56):
+        with self.assertNumQueries(57):
            # FIXME: obviously too high, but it's a starting point.
            # Potential further optimizations:
            # - Remove trivial... and not so trivial duplicates
@ -2769,6 +2828,7 @@ class TestReview(ReviewBase):
            # 54. cinder policies for the policy dropdown
            # 55. select users by role for this add-on (?)
            # 56. unreviewed versions in other channel
+            # 57. attachmentlog
            response = self.client.get(self.url)
        assert response.status_code == 200
        doc = pq(response.content)
@ -2951,15 +3011,27 @@ class TestReview(ReviewBase):
            in doc('#versions-history .review-files .listing-header .light').text()
        )

+    @override_switch('enable-activity-log-attachments', active=True)
    def test_item_history_comment(self):
        # Add Comment.
        self.client.post(self.url, {'action': 'comment', 'comments': 'hello sailor'})
+        # Add reply with an attachment.
+        self.client.post(
+            self.url,
+            {
+                'action': 'reply',
+                'comments': 'hello again sailor',
+                'attachment_input': 'build log',
+            },
+        )

        response = self.client.get(self.url)
        assert response.status_code == 200
        doc = pq(response.content)('#versions-history .review-files')
        assert doc('th').eq(1).text() == 'Commented'
-        assert doc('.history-comment').text() == 'hello sailor'
+        assert doc('.history-comment').eq(0).text() == 'hello sailor'
+        assert doc('.history-comment').eq(1).text() == 'hello again sailor'
+        assert len(doc('.download-reply-attachment')) == 1

    def test_item_history_pending_rejection(self):
        response = self.client.get(self.url)
@ -5438,7 +5510,7 @@ class TestReview(ReviewBase):
                    results={'matchedRules': [customs_rule.name]},
                )

-        with self.assertNumQueries(57):
+        with self.assertNumQueries(58):
            # See test_item_history_pagination() for more details about the
            # queries count. What's important here is that the extra versions
            # and scanner results don't cause extra queries.
--- a/src/olympia/reviewers/utils.py
+++ b/src/olympia/reviewers/utils.py
@ -3,6 +3,7 @@ from datetime import datetime, timedelta

 from django.conf import settings
 from django.contrib.humanize.templatetags.humanize import naturaltime
+from django.core.files.base import ContentFile
 from django.db.models import Count, F, Q
 from django.urls import reverse
 from django.utils.http import urlencode
@ -15,7 +16,7 @@ from olympia import amo
 from olympia.abuse.models import CinderJob, CinderPolicy
 from olympia.abuse.tasks import notify_addon_decision_to_cinder, resolve_job_in_cinder
 from olympia.access import acl
-from olympia.activity.models import ActivityLog
+from olympia.activity.models import ActivityLog, AttachmentLog
 from olympia.activity.utils import notify_about_activity_log
 from olympia.addons.models import Addon, AddonApprovalsCounter, AddonReviewerFlags
 from olympia.constants.abuse import DECISION_ACTIONS
@ -1017,6 +1018,17 @@ class ReviewBase:
        kwargs = {'user': user or self.user, 'created': timestamp, 'details': details}
        self.log_entry = ActivityLog.objects.create(action, *args, **kwargs)

+        attachment = None
+        if self.data.get('attachment_file'):
+            attachment = self.data.get('attachment_file')
+        elif self.data.get('attachment_input'):
+            # The name will be overridden later by attachment_upload_path.
+            attachment = ContentFile(
+                self.data['attachment_input'], name='attachment.txt'
+            )
+        if attachment is not None:
+            AttachmentLog.objects.create(activity_log=self.log_entry, file=attachment)
+
    def reviewer_reply(self):
        # Default to reviewer reply action.
        action = amo.LOG.REVIEWER_REPLY_VERSION
--- a/src/olympia/reviewers/views.py
+++ b/src/olympia/reviewers/views.py
@ -527,7 +527,9 @@ def review(request, addon, channel=None):
        human_review=True,
    )
    form = ReviewForm(
-        request.POST if request.method == 'POST' else None, helper=form_helper
+        request.POST if request.method == 'POST' else None,
+        request.FILES if request.method == 'POST' else None,
+        helper=form_helper,
    )

    reports = Paginator(AbuseReport.objects.for_addon(addon), 5).page(1)
--- a/src/olympia/urls.py
+++ b/src/olympia/urls.py
@ -43,6 +43,8 @@ urlpatterns = [
    re_path(r'^uploads/', include(upload_patterns)),
    # Downloads.
    re_path(r'^downloads/', include(download_patterns)),
+    # Activity.
+    re_path(r'activity/', include('olympia.activity.urls')),
    # Users
    re_path(r'', include('olympia.users.urls')),
    # Developer Hub.
--- a/static/css/zamboni/reviewers.less
+++ b/static/css/zamboni/reviewers.less
@ -896,6 +896,11 @@ form.review-form .data-toggle {
    height: 200px;
 }

+#review-actions-form #id_attachment_input {
+    height: 100px;
+    width: 30%;
+}
+
 #review-actions-form .review-actions-desc {
    text-align: center;
 }
@ -1406,3 +1411,12 @@ table.abuse_reports {
        margin-bottom: 0;
    }
 }
+
+#attachment-type-toggle, #id_attachment_file {
+    padding: 0.5em;
+}
+
+.review-actions-attachment-reply {
+    display: flex;
+    flex-direction: column;
+}
--- a/static/css/zamboni/zamboni.css
+++ b/static/css/zamboni/zamboni.css
@ -724,6 +724,11 @@ th, td {
    padding: 0.308em 0.537em 0.214em 0.231em; /* 4px 7px 3px 7px */
 }

+div:has(> .download-reply-attachment) {
+    display: flex;
+    flex-direction: column;
+    text-align: right;
+}

 /** Button =Popups *********/
 .install {
--- a/static/js/zamboni/reviewers.js
+++ b/static/js/zamboni/reviewers.js
@ -301,6 +301,20 @@ function initExtraReviewActions() {
    }),
  );

+  $('#toggle_attachment_file').on('click', function (e) {
+    e.preventDefault();
+    $('#attachment-type-toggle').addClass('hidden');
+    $('#attachment_input_wrapper').addClass('hidden');
+    $('#attachment_file_wrapper').removeClass('hidden');
+  });
+
+  $('#toggle_attachment_input').on('click', function (e) {
+    e.preventDefault();
+    $('#attachment-type-toggle').addClass('hidden');
+    $('#attachment_file_wrapper').addClass('hidden');
+    $('#attachment_input_wrapper').removeClass('hidden');
+  });
+
  // One-off-style buttons.
  $('.more-actions button.oneoff[data-api-url]').click(
    _pd(function () {