Merge pull request #230 from Human-Connection/showDisabledForModerators

Obfuscate disabled comments and posts by default
2025-12-13 07:45:56 +00:00 · 2019-03-14 00:30:50 +01:00 · 2019-03-14 00:30:50 +01:00 · fd02679588
commit fd02679588
parent d1a9f2f0f1 4c85465ef8
8 changed files with 276 additions and 109 deletions
--- a/src/middleware/idMiddleware.js
+++ b/src/middleware/idMiddleware.js
@ -1,28 +0,0 @@
-import cloneDeep from 'lodash/cloneDeep'
-
-const includeId = async (resolve, root, args, context, resolveInfo) => {
-  // Keeping the graphql resolveInfo untouched ensures that we don't add the
-  // following attributes to the result set returned to the graphQL client.
-  // We only want to pass these attributes to our resolver for internal
-  // purposes e.g. authorization.
-  const copy = cloneDeep(resolveInfo)
-
-  copy.fieldNodes[0].selectionSet.selections.unshift({
-    kind: 'Field',
-    name: { kind: 'Name', value: 'id' }
-  })
-  return resolve(root, args, context, copy)
-}
-
-export default {
-  Query: {
-    User: (resolve, root, args, context, info) => {
-      return includeId(resolve, root, args, context, info)
-    }
-  },
-  Mutation: {
-    CreatePost: (resolve, root, args, context, info) => {
-      return includeId(resolve, root, args, context, info)
-    }
-  }
-}
--- a/src/middleware/includedFieldsMiddleware.js
+++ b/src/middleware/includedFieldsMiddleware.js
@ -0,0 +1,29 @@
+import cloneDeep from 'lodash/cloneDeep'
+
+const _includeFieldsRecursively = (selectionSet, includedFields) => {
+  if (!selectionSet) return
+  includedFields.forEach((includedField) => {
+    selectionSet.selections.unshift({
+      kind: 'Field',
+      name: { kind: 'Name', value: includedField }
+    })
+  })
+  selectionSet.selections.forEach((selection) => {
+    _includeFieldsRecursively(selection.selectionSet, includedFields)
+  })
+}
+
+const includeFieldsRecursively = (includedFields) => {
+  return (resolve, root, args, context, resolveInfo) => {
+    const copy = cloneDeep(resolveInfo)
+    copy.fieldNodes.forEach((fieldNode) => {
+      _includeFieldsRecursively(fieldNode.selectionSet, includedFields)
+    })
+    return resolve(root, args, context, copy)
+  }
+}
+
+export default {
+  Query: includeFieldsRecursively(['id', 'disabled', 'deleted']),
+  Mutation: includeFieldsRecursively(['id', 'disabled', 'deleted'])
+}
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@ -7,7 +7,7 @@ import dateTimeMiddleware from './dateTimeMiddleware'
 import xssMiddleware from './xssMiddleware'
 import permissionsMiddleware from './permissionsMiddleware'
 import userMiddleware from './userMiddleware'
-import idMiddleware from './idMiddleware'
+import includedFieldsMiddleware from './includedFieldsMiddleware'

 export default schema => {
  let middleware = [
@ -19,7 +19,7 @@ export default schema => {
    fixImageUrlsMiddleware,
    softDeleteMiddleware,
    userMiddleware,
-    idMiddleware
+    includedFieldsMiddleware
  ]

  // add permisions middleware at the first position (unless we're seeding)
--- a/src/middleware/softDeleteMiddleware.js
+++ b/src/middleware/softDeleteMiddleware.js
@ -1,26 +1,45 @@
-const setDefaults = (args) => {
+const isModerator = ({ user }) => {
+  return user && (user.role === 'moderator' || user.role === 'admin')
+}
+
+const setDefaultFilters = (resolve, root, args, context, info) => {
  if (typeof args.deleted !== 'boolean') {
    args.deleted = false
  }
-  if (typeof args.disabled !== 'boolean') {
+
+  if (!isModerator(context)) {
    args.disabled = false
  }
-  return args
+  return resolve(root, args, context, info)
+}
+
+const obfuscateDisabled = async (resolve, root, args, context, info) => {
+  if (!isModerator(context) && root.disabled) {
+    root.content = 'DELETED'
+    root.contentExcerpt = 'DELETED'
+    root.title = 'DELETED'
+    root.image = 'DELETED'
+    root.avatar = 'DELETED'
+    root.about = 'DELETED'
+  }
+  return resolve(root, args, context, info)
 }

 export default {
  Query: {
-    Post: (resolve, root, args, context, info) => {
-      return resolve(root, setDefaults(args), context, info)
-    },
-    Comment: async (resolve, root, args, context, info) => {
-      return resolve(root, setDefaults(args), context, info)
-    },
-    User: async (resolve, root, args, context, info) => {
-      return resolve(root, setDefaults(args), context, info)
-    }
+    Post: setDefaultFilters,
+    Comment: setDefaultFilters,
+    User: setDefaultFilters
  },
  Mutation: async (resolve, root, args, context, info) => {
-    return resolve(root, setDefaults(args), context, info)
-  }
+    args.disabled = false
+    // TODO: remove as soon as our factories don't need this anymore
+    if (typeof args.deleted !== 'boolean') {
+      args.deleted = false
+    }
+    return resolve(root, args, context, info)
+  },
+  Post: obfuscateDisabled,
+  User: obfuscateDisabled,
+  Comment: obfuscateDisabled
 }
--- a/src/middleware/softDeleteMiddleware.spec.js
+++ b/src/middleware/softDeleteMiddleware.spec.js
@ -7,41 +7,103 @@ let client
 let query
 let action

-beforeEach(async () => {
+beforeAll(async () => {
+  // For performance reasons we do this only once
  await Promise.all([
-    factory.create('User', { role: 'user', email: 'user@example.org', password: '1234' }),
-    factory.create('User', { id: 'm1', role: 'moderator', email: 'moderator@example.org', password: '1234' })
+    factory.create('User', { id: 'u1', role: 'user', email: 'user@example.org', password: '1234' }),
+    factory.create('User', { id: 'm1', role: 'moderator', email: 'moderator@example.org', password: '1234' }),
+    factory.create('User', { id: 'u2', role: 'user', avatar: '/some/offensive/avatar.jpg', about: 'This self description is very offensive', email: 'troll@example.org', password: '1234' })
  ])
+
  await factory.authenticateAs({ email: 'user@example.org', password: '1234' })
  await Promise.all([
-    factory.create('Post', { title: 'Deleted post', deleted: true }),
-    factory.create('Post', { id: 'p2', title: 'Disabled post', deleted: false }),
-    factory.create('Post', { title: 'Publicly visible post', deleted: false })
+    factory.follow({ id: 'u2', type: 'User' }),
+    factory.create('Post', { id: 'p1', title: 'Deleted post', deleted: true }),
+    factory.create('Post', { id: 'p3', title: 'Publicly visible post', deleted: false })
  ])
-  const moderatorFactory = Factory()
-  await moderatorFactory.authenticateAs({ email: 'moderator@example.org', password: '1234' })
-  const disableMutation = `
-      mutation {
-        disable(
-          id: "p2"
-        )
-      }
-    `
-  await moderatorFactory.mutate(disableMutation)
+
+  await Promise.all([
+    factory.create('Comment', { id: 'c2', content: 'Enabled comment on public post' })
+  ])
+
+  await Promise.all([
+    factory.relate('Comment', 'Author', { from: 'u1', to: 'c2' }),
+    factory.relate('Comment', 'Post', { from: 'c2', to: 'p3' })
+  ])
+
+  const asTroll = Factory()
+  await asTroll.authenticateAs({ email: 'troll@example.org', password: '1234' })
+  await asTroll.create('Post', { id: 'p2', title: 'Disabled post', content: 'This is an offensive post content', image: '/some/offensive/image.jpg', deleted: false })
+  await asTroll.create('Comment', { id: 'c1', content: 'Disabled comment' })
+  await Promise.all([
+    asTroll.relate('Comment', 'Author', { from: 'u2', to: 'c1' }),
+    asTroll.relate('Comment', 'Post', { from: 'c1', to: 'p3' })
+  ])
+
+  const asModerator = Factory()
+  await asModerator.authenticateAs({ email: 'moderator@example.org', password: '1234' })
+  await asModerator.mutate('mutation { disable( id: "p2") }')
+  await asModerator.mutate('mutation { disable( id: "c1") }')
+  await asModerator.mutate('mutation { disable( id: "u2") }')
 })

-afterEach(async () => {
+afterAll(async () => {
  await factory.cleanDatabase()
 })

 describe('softDeleteMiddleware', () => {
-  describe('Post', () => {
+  describe('read disabled content', () => {
+    let user
+    let post
+    let comment
+    const beforeComment = async () => {
+      query = '{ User(id: "u1") { following { comments { content contentExcerpt }  } } }'
+      const response = await action()
+      comment = response.User[0].following[0].comments[0]
+    }
+    const beforeUser = async () => {
+      query = '{ User(id: "u1") { following { about avatar } } }'
+      const response = await action()
+      user = response.User[0].following[0]
+    }
+    const beforePost = async () => {
+      query = '{ User(id: "u1") { following { contributions { title image content contentExcerpt }  } } }'
+      const response = await action()
+      post = response.User[0].following[0].contributions[0]
+    }
+
    action = () => {
      return client.request(query)
    }

-    beforeEach(() => {
-      query = '{ Post { title } }'
+    describe('as moderator', () => {
+      beforeEach(async () => {
+        const headers = await login({ email: 'moderator@example.org', password: '1234' })
+        client = new GraphQLClient(host, { headers })
+      })
+
+      describe('User', () => {
+        beforeEach(beforeUser)
+
+        it('displays about', () => expect(user.about).toEqual('This self description is very offensive'))
+        it('displays avatar', () => expect(user.avatar).toEqual('/some/offensive/avatar.jpg'))
+      })
+
+      describe('Post', () => {
+        beforeEach(beforePost)
+
+        it('displays title', () => expect(post.title).toEqual('Disabled post'))
+        it('displays content', () => expect(post.content).toEqual('This is an offensive post content'))
+        it('displays contentExcerpt', () => expect(post.contentExcerpt).toEqual('This is an offensive post content'))
+        it('displays image', () => expect(post.image).toEqual('/some/offensive/image.jpg'))
+      })
+
+      describe('Comment', () => {
+        beforeEach(beforeComment)
+
+        it('displays content', () => expect(comment.content).toEqual('Disabled comment'))
+        it('displays contentExcerpt', () => expect(comment.contentExcerpt).toEqual('Disabled comment'))
+      })
    })

    describe('as user', () => {
@ -50,27 +112,35 @@ describe('softDeleteMiddleware', () => {
        client = new GraphQLClient(host, { headers })
      })

-      it('hides deleted or disabled posts', async () => {
-        const expected = { Post: [{ title: 'Publicly visible post' }] }
-        await expect(action()).resolves.toEqual(expected)
+      describe('User', () => {
+        beforeEach(beforeUser)
+
+        it('obfuscates about', () => expect(user.about).toEqual('DELETED'))
+        it('obfuscates avatar', () => expect(user.avatar).toEqual('DELETED'))
+      })
+
+      describe('Post', () => {
+        beforeEach(beforePost)
+
+        it('obfuscates title', () => expect(post.title).toEqual('DELETED'))
+        it('obfuscates content', () => expect(post.content).toEqual('DELETED'))
+        it('obfuscates contentExcerpt', () => expect(post.contentExcerpt).toEqual('DELETED'))
+        it('obfuscates image', () => expect(post.image).toEqual('DELETED'))
+      })
+
+      describe('Comment', () => {
+        beforeEach(beforeComment)
+
+        it('obfuscates content', () => expect(comment.content).toEqual('DELETED'))
+        it('obfuscates contentExcerpt', () => expect(comment.contentExcerpt).toEqual('DELETED'))
      })
    })
+  })

-    describe('as moderator', () => {
+  describe('Query', () => {
+    describe('Post', () => {
      beforeEach(async () => {
-        const headers = await login({ email: 'moderator@example.org', password: '1234' })
-        client = new GraphQLClient(host, { headers })
-      })
-
-      it('hides deleted or disabled posts', async () => {
-        const expected = { Post: [{ title: 'Publicly visible post' }] }
-        await expect(action()).resolves.toEqual(expected)
-      })
-    })
-
-    describe('filter (deleted: true)', () => {
-      beforeEach(() => {
-        query = '{ Post(deleted: true) { title } }'
+        query = '{ Post { title } }'
      })

      describe('as user', () => {
@ -79,8 +149,9 @@ describe('softDeleteMiddleware', () => {
          client = new GraphQLClient(host, { headers })
        })

-        it('throws authorisation error', async () => {
-          await expect(action()).rejects.toThrow('Not Authorised!')
+        it('hides deleted or disabled posts', async () => {
+          const expected = { Post: [{ title: 'Publicly visible post' }] }
+          await expect(action()).resolves.toEqual(expected)
        })
      })

@ -90,38 +161,109 @@ describe('softDeleteMiddleware', () => {
          client = new GraphQLClient(host, { headers })
        })

-        it('shows deleted posts', async () => {
-          const expected = { Post: [{ title: 'Deleted post' }] }
-          await expect(action()).resolves.toEqual(expected)
+        it('shows disabled but hides deleted posts', async () => {
+          const expected = [
+            { title: 'Disabled post' },
+            { title: 'Publicly visible post' }
+          ]
+          const { Post } = await action()
+          await expect(Post).toEqual(expect.arrayContaining(expected))
        })
      })
-    })

-    describe('filter (disabled: true)', () => {
-      beforeEach(() => {
-        query = '{ Post(disabled: true) { title } }'
-      })
-
-      describe('as user', () => {
+      describe('.comments', () => {
        beforeEach(async () => {
-          const headers = await login({ email: 'user@example.org', password: '1234' })
-          client = new GraphQLClient(host, { headers })
+          query = '{ Post(id: "p3") { title comments { content } } }'
        })

-        it('throws authorisation error', async () => {
-          await expect(action()).rejects.toThrow('Not Authorised!')
+        describe('as user', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'user@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('conceals disabled comments', async () => {
+            const expected = [
+              { content: 'Enabled comment on public post' },
+              { content: 'DELETED' }
+            ]
+            const { Post: [{ comments }] } = await action()
+            await expect(comments).toEqual(expect.arrayContaining(expected))
+          })
+        })
+
+        describe('as moderator', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'moderator@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('shows disabled comments', async () => {
+            const expected = [
+              { content: 'Enabled comment on public post' },
+              { content: 'Disabled comment' }
+            ]
+            const { Post: [{ comments }] } = await action()
+            await expect(comments).toEqual(expect.arrayContaining(expected))
+          })
        })
      })

-      describe('as moderator', () => {
-        beforeEach(async () => {
-          const headers = await login({ email: 'moderator@example.org', password: '1234' })
-          client = new GraphQLClient(host, { headers })
+      describe('filter (deleted: true)', () => {
+        beforeEach(() => {
+          query = '{ Post(deleted: true) { title } }'
        })

-        it('shows disabled posts', async () => {
-          const expected = { Post: [{ title: 'Disabled post' }] }
-          await expect(action()).resolves.toEqual(expected)
+        describe('as user', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'user@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('throws authorisation error', async () => {
+            await expect(action()).rejects.toThrow('Not Authorised!')
+          })
+        })
+
+        describe('as moderator', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'moderator@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('shows deleted posts', async () => {
+            const expected = { Post: [{ title: 'Deleted post' }] }
+            await expect(action()).resolves.toEqual(expected)
+          })
+        })
+      })
+
+      describe('filter (disabled: true)', () => {
+        beforeEach(() => {
+          query = '{ Post(disabled: true) { title } }'
+        })
+
+        describe('as user', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'user@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('throws authorisation error', async () => {
+            await expect(action()).rejects.toThrow('Not Authorised!')
+          })
+        })
+
+        describe('as moderator', () => {
+          beforeEach(async () => {
+            const headers = await login({ email: 'moderator@example.org', password: '1234' })
+            client = new GraphQLClient(host, { headers })
+          })
+
+          it('shows disabled posts', async () => {
+            const expected = { Post: [{ title: 'Disabled post' }] }
+            await expect(action()).resolves.toEqual(expected)
+          })
        })
      })
    })
--- a/src/schema.graphql
+++ b/src/schema.graphql
@ -148,7 +148,7 @@ type User {
  )

  comments: [Comment]! @relation(name: "WROTE", direction: "OUT")
-  commentsCount: Int! @cypher(statement: "MATCH (this)-[:WROTE]->(r:Comment) WHERE NOT r.deleted = true RETURN COUNT(r)")
+  commentsCount: Int! @cypher(statement: "MATCH (this)-[:WROTE]->(r:Comment) WHERE NOT r.deleted = true AND NOT r.disabled = true RETURN COUNT(r)")

  shouted: [Post]! @relation(name: "SHOUTED", direction: "OUT")
  shoutedCount: Int! @cypher(statement: "MATCH (this)-[:SHOUTED]->(r:Post) WHERE NOT r.deleted = true AND NOT r.disabled = true RETURN COUNT(DISTINCT r)")
@ -189,7 +189,7 @@ type Post {
  categories: [Category]! @relation(name: "CATEGORIZED", direction: "OUT")

  comments: [Comment]! @relation(name: "COMMENTS", direction: "IN")
-  commentsCount: Int! @cypher(statement: "MATCH (this)<-[:COMMENTS]-(r:Comment) RETURN COUNT(r)")
+  commentsCount: Int! @cypher(statement: "MATCH (this)<-[:COMMENTS]-(r:Comment) WHERE NOT r.deleted = true AND NOT r.disabled = true  RETURN COUNT(r)")

  shoutedBy: [User]! @relation(name: "SHOUTED", direction: "IN")
  shoutedCount: Int! @cypher(statement: "MATCH (this)<-[:SHOUTED]-(r:User) WHERE NOT r.deleted = true AND NOT r.disabled = true RETURN COUNT(DISTINCT r)")
--- a/src/seed/factories/users.js
+++ b/src/seed/factories/users.js
@ -9,6 +9,7 @@ export default function create (params) {
    password = '1234',
    role = 'user',
    avatar = faker.internet.avatar(),
+    about = faker.lorem.paragraph(),
    disabled = false,
    deleted = false
  } = params
@ -21,6 +22,7 @@ export default function create (params) {
        password: "${password}",
        email: "${email}",
        avatar: "${avatar}",
+        about: "${about}",
        role: ${role},
        disabled: ${disabled},
        deleted: ${deleted}
--- a/src/seed/seed-db.js
+++ b/src/seed/seed-db.js
@ -107,9 +107,6 @@ import Factory from './factories'
      asTick.create('Post',      { id: 'p15' })
    ])

-    const disableMutation = 'mutation { disable( id: "p11") }'
-    await asModerator.mutate(disableMutation)
-
    await Promise.all([
      f.relate('Post', 'Categories', { from: 'p0',  to: 'cat16' }),
      f.relate('Post', 'Categories', { from: 'p1',  to: 'cat1' }),
@ -214,6 +211,12 @@ import Factory from './factories'
      f.relate('Comment', 'Post',   { from: 'c7', to: 'p2' })
    ])

+    const disableMutation = 'mutation($id: ID!) { disable(id: $id) }'
+    await Promise.all([
+      asModerator.mutate(disableMutation, { id: 'p11' }),
+      asModerator.mutate(disableMutation, { id: 'c5' })
+    ])
+
    await Promise.all([
      asTick.create('Report',  { description: 'I don\'t like this comment', id: 'c1' }),
      asTrick.create('Report', { description: 'I don\'t like this post',    id: 'p1' }),