From df890fd05e0b40f196b0568d6c4c665977eb9364 Mon Sep 17 00:00:00 2001
From: Kris Maglione <maglione.k@gmail.com>
Date: Thu, 13 Dec 2012 16:46:31 -0800
Subject: [PATCH] Bug 543047: Prevent editors from deleting reviews for their
 own add-ons:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 • Prevents senior editors from deleting reviews on their own add-ons
 • Prevents all editors from deleting their own reviews from the editor tools
 • Displays flagged reviews for editors' own add-ons as disabled in the queues.
---
 apps/editors/templates/editors/queue.html |  2 +-
 apps/editors/tests/test_views.py          | 23 +++++++++++++++++++++++
 apps/reviews/forms.py                     |  5 ++++-
 apps/reviews/helpers.py                   |  7 ++++---
 media/css/zamboni/zamboni.css             |  7 +++++++
 media/js/zamboni/reviews.js               |  2 ++
 6 files changed, 41 insertions(+), 5 deletions(-)

diff --git a/apps/editors/templates/editors/queue.html b/apps/editors/templates/editors/queue.html
index 00333d412d..603bb816f2 100644
--- a/apps/editors/templates/editors/queue.html
+++ b/apps/editors/templates/editors/queue.html
@@ -76,7 +76,7 @@
           {{ csrf() }}
           {{ reviews_formset.management_form }}
           {% for review in reviews_formset.forms %}
-          <div class="review-flagged">
+          <div class="review-flagged{%- if not check_review_delete(review.instance) %} disabled{% endif %}">
             <div class="review-flagged-actions">
               {{ review.errors }}
               <strong>{{ _('Moderation actions:') }}</strong>
diff --git a/apps/editors/tests/test_views.py b/apps/editors/tests/test_views.py
index d698e472db..a01458d8ec 100644
--- a/apps/editors/tests/test_views.py
+++ b/apps/editors/tests/test_views.py
@@ -894,6 +894,29 @@ class TestModeratedQueue(QueueTest):
         # Make sure it was actually deleted.
         eq_(Review.objects.filter(addon=1865).count(), 1)
 
+    def test_remove_fails_for_own_addon(self):
+        """
+        Make sure the editor tools can't delete a review for an
+        add-on owned by the user.
+        """
+        a = Addon.objects.get(pk=1865)
+        u = UserProfile.objects.get(email='editor@mozilla.com')
+        AddonUser(addon=a, user=u).save()
+
+        # Make sure the initial count is as expected
+        eq_(Review.objects.filter(addon=1865).count(), 2)
+
+        self.setup_actions(reviews.REVIEW_MODERATE_DELETE)
+        logs = self.get_logs(amo.LOG.DELETE_REVIEW)
+        eq_(logs.count(), 0)
+
+        # Make sure it's not removed from the queue.
+        r = self.client.get(self.url)
+        eq_(pq(r.content)('#reviews-flagged .no-results').length, 0)
+
+        # Make sure it was not actually deleted.
+        eq_(Review.objects.filter(addon=1865).count(), 2)
+
     def test_remove_score(self):
         self.create_switch('reviewer-incentive-points')
         self.setup_actions(reviews.REVIEW_MODERATE_DELETE)
diff --git a/apps/reviews/forms.py b/apps/reviews/forms.py
index 2a3659c333..2d14d4e454 100644
--- a/apps/reviews/forms.py
+++ b/apps/reviews/forms.py
@@ -72,8 +72,11 @@ class BaseReviewFlagFormSet(BaseModelFormSet):
         super(BaseReviewFlagFormSet, self).__init__(*args, **kwargs)
 
     def save(self):
+        from reviews.helpers import user_can_delete_review
+
         for form in self.forms:
-            if form.cleaned_data:
+            if form.cleaned_data and user_can_delete_review(self.request,
+                                                            form.instance):
                 action = int(form.cleaned_data['action'])
 
                 is_flagged = (form.instance.reviewflag_set.count() > 0)
diff --git a/apps/reviews/helpers.py b/apps/reviews/helpers.py
index e2464845f3..2d8ac28d28 100644
--- a/apps/reviews/helpers.py
+++ b/apps/reviews/helpers.py
@@ -75,9 +75,10 @@ def user_can_delete_review(request, review):
     is_author = review.addon.has_author(request.user)
     return (
         review.user_id == request.user.id or
-        (is_editor and not is_author) or
-        acl.action_allowed(request, 'Users', 'Edit') or
-        acl.action_allowed(request, 'Addons', 'Edit'))
+        not is_author and (
+            is_editor or
+            acl.action_allowed(request, 'Users', 'Edit') or
+            acl.action_allowed(request, 'Addons', 'Edit')))
 
 
 @jingo.register.function
diff --git a/media/css/zamboni/zamboni.css b/media/css/zamboni/zamboni.css
index c452d7e9e7..c28ea3abe5 100644
--- a/media/css/zamboni/zamboni.css
+++ b/media/css/zamboni/zamboni.css
@@ -132,6 +132,13 @@ ul.errorlist {
     color: #ccc;
 }
 
+.disabled,
+.disabled a[href],
+.disabled label,
+.disabled h3 {
+    color: #888 !important;
+}
+
 /************************************/
 /*             GRADIENTS            */
 /************************************/
diff --git a/media/js/zamboni/reviews.js b/media/js/zamboni/reviews.js
index 101dab4448..4f0b52e332 100644
--- a/media/js/zamboni/reviews.js
+++ b/media/js/zamboni/reviews.js
@@ -106,4 +106,6 @@ $(document).ready(function() {
     });
 
     $("select[name='rating']").ratingwidget();
+
+    $('.review-flagged.disabled input').attr('disabled', true);
 });