Bug 543047: Prevent editors from deleting reviews for their own add-ons:

• Prevents senior editors from deleting reviews on their own add-ons • Prevents all editors from deleting their own reviews from the editor tools • Displays flagged reviews for editors' own add-ons as disabled in the queues.
2012-12-13 16:46:31 -08:00 · 2012-12-13 16:46:31 -08:00 · df890fd05e
--- a/apps/editors/templates/editors/queue.html
+++ b/apps/editors/templates/editors/queue.html
@ -76,7 +76,7 @@
          {{ csrf() }}
          {{ reviews_formset.management_form }}
          {% for review in reviews_formset.forms %}
-          <div class="review-flagged">
+          <div class="review-flagged{%- if not check_review_delete(review.instance) %} disabled{% endif %}">
            <div class="review-flagged-actions">
              {{ review.errors }}
              <strong>{{ _('Moderation actions:') }}</strong>
--- a/apps/editors/tests/test_views.py
+++ b/apps/editors/tests/test_views.py
@ -894,6 +894,29 @@ class TestModeratedQueue(QueueTest):
        # Make sure it was actually deleted.
        eq_(Review.objects.filter(addon=1865).count(), 1)

+    def test_remove_fails_for_own_addon(self):
+        """
+        Make sure the editor tools can't delete a review for an
+        add-on owned by the user.
+        """
+        a = Addon.objects.get(pk=1865)
+        u = UserProfile.objects.get(email='editor@mozilla.com')
+        AddonUser(addon=a, user=u).save()
+
+        # Make sure the initial count is as expected
+        eq_(Review.objects.filter(addon=1865).count(), 2)
+
+        self.setup_actions(reviews.REVIEW_MODERATE_DELETE)
+        logs = self.get_logs(amo.LOG.DELETE_REVIEW)
+        eq_(logs.count(), 0)
+
+        # Make sure it's not removed from the queue.
+        r = self.client.get(self.url)
+        eq_(pq(r.content)('#reviews-flagged .no-results').length, 0)
+
+        # Make sure it was not actually deleted.
+        eq_(Review.objects.filter(addon=1865).count(), 2)
+
    def test_remove_score(self):
        self.create_switch('reviewer-incentive-points')
        self.setup_actions(reviews.REVIEW_MODERATE_DELETE)
--- a/apps/reviews/forms.py
+++ b/apps/reviews/forms.py
@ -72,8 +72,11 @@ class BaseReviewFlagFormSet(BaseModelFormSet):
        super(BaseReviewFlagFormSet, self).__init__(*args, **kwargs)

    def save(self):
+        from reviews.helpers import user_can_delete_review
+
        for form in self.forms:
-            if form.cleaned_data:
+            if form.cleaned_data and user_can_delete_review(self.request,
+                                                            form.instance):
                action = int(form.cleaned_data['action'])

                is_flagged = (form.instance.reviewflag_set.count() > 0)
--- a/apps/reviews/helpers.py
+++ b/apps/reviews/helpers.py
@ -75,9 +75,10 @@ def user_can_delete_review(request, review):
    is_author = review.addon.has_author(request.user)
    return (
        review.user_id == request.user.id or
-        (is_editor and not is_author) or
-        acl.action_allowed(request, 'Users', 'Edit') or
-        acl.action_allowed(request, 'Addons', 'Edit'))
+        not is_author and (
+            is_editor or
+            acl.action_allowed(request, 'Users', 'Edit') or
+            acl.action_allowed(request, 'Addons', 'Edit')))


@jingo.register.function
--- a/media/css/zamboni/zamboni.css
+++ b/media/css/zamboni/zamboni.css
@ -132,6 +132,13 @@ ul.errorlist {
    color: #ccc;
 }

+.disabled,
+.disabled a[href],
+.disabled label,
+.disabled h3 {
+    color: #888 !important;
+}
+
 /************************************/
 /*             GRADIENTS            */
 /************************************/
--- a/media/js/zamboni/reviews.js
+++ b/media/js/zamboni/reviews.js
@ -106,4 +106,6 @@ $(document).ready(function() {
    });

    $("select[name='rating']").ratingwidget();
+
+    $('.review-flagged.disabled input').attr('disabled', true);
 });