Merge remote-tracking branch 'upstream/pull/2111'

[rails.git] / app / controllers / changeset_comments_controller.rb

class ChangesetCommentsController < ApplicationController
  skip_before_action :verify_authenticity_token, :except => [:index]
  before_action :authorize_web, :only => [:index]
  before_action :set_locale, :only => [:index]
  before_action :authorize, :only => [:create, :destroy, :restore]
  before_action :api_deny_access_handler, :only => [:create, :destroy, :restore]

  authorize_resource

  before_action :require_public_data, :only => [:create]
  before_action :check_api_writable, :only => [:create, :destroy, :restore]
  before_action :check_api_readable, :except => [:create, :index]
  before_action(:only => [:index]) { |c| c.check_database_readable(true) }
  around_action :api_call_handle_error, :except => [:index]
  around_action :api_call_timeout, :except => [:index]
  around_action :web_timeout, :only => [:index]

  ##
  # Add a comment to a changeset
  def create
    # Check the arguments are sane
    raise OSM::APIBadUserInput, "No id was given" unless params[:id]
    raise OSM::APIBadUserInput, "No text was given" if params[:text].blank?

    # Extract the arguments
    id = params[:id].to_i
    body = params[:text]

    # Find the changeset and check it is valid
    changeset = Changeset.find(id)
    raise OSM::APIChangesetNotYetClosedError, changeset if changeset.is_open?

    # Add a comment to the changeset
    comment = changeset.comments.create(:changeset => changeset,
                                        :body => body,
                                        :author => current_user)

    # Notify current subscribers of the new comment
    changeset.subscribers.visible.each do |user|
      Notifier.changeset_comment_notification(comment, user).deliver_later if current_user != user
    end

    # Add the commenter to the subscribers if necessary
    changeset.subscribers << current_user unless changeset.subscribers.exists?(current_user.id)

    # Return a copy of the updated changeset
    render :xml => changeset.to_xml.to_s
  end

  ##
  # Sets visible flag on comment to false
  def destroy
    # Check the arguments are sane
    raise OSM::APIBadUserInput, "No id was given" unless params[:id]

    # Extract the arguments
    id = params[:id].to_i

    # Find the changeset
    comment = ChangesetComment.find(id)

    # Hide the comment
    comment.update(:visible => false)

    # Return a copy of the updated changeset
    render :xml => comment.changeset.to_xml.to_s
  end

  ##
  # Sets visible flag on comment to true
  def restore
    # Check the arguments are sane
    raise OSM::APIBadUserInput, "No id was given" unless params[:id]

    # Extract the arguments
    id = params[:id].to_i

    # Find the changeset
    comment = ChangesetComment.find(id)

    # Unhide the comment
    comment.update(:visible => true)

    # Return a copy of the updated changeset
    render :xml => comment.changeset.to_xml.to_s
  end

  ##
  # Get a feed of recent changeset comments
  def index
    if params[:id]
      # Extract the arguments
      id = params[:id].to_i

      # Find the changeset
      changeset = Changeset.find(id)

      # Return comments for this changeset only
      @comments = changeset.comments.includes(:author, :changeset).limit(comments_limit)
    else
      # Return comments
      @comments = ChangesetComment.includes(:author, :changeset).where(:visible => true).order("created_at DESC").limit(comments_limit).preload(:changeset)
    end

    # Render the result
    respond_to do |format|
      format.rss
    end
  rescue OSM::APIBadUserInput
    head :bad_request
  end

  private

  ##
  # Get the maximum number of comments to return
  def comments_limit
    if params[:limit]
      if params[:limit].to_i.positive? && params[:limit].to_i <= 10000
        params[:limit].to_i
      else
        raise OSM::APIBadUserInput, "Comments limit must be between 1 and 10000"
      end
    else
      100
    end
  end
end