[Backport] Issue 4679: Comment permission isn't working for external users

taiga/permissions/permissions.py

@@ -74,18 +74,10 @@ class CommentAndOrUpdatePerm(PermissionComponent):
         else:
             project = obj.project
 
-        data_keys = request.DATA.keys()
+        data_keys = set(request.DATA.keys()) - {"version"}
-
+        just_a_comment = data_keys == {"comment"}
-        if (not services.user_has_perm(request.user, self.comment_perm, project) and
-            "comment" in data_keys):
-                # User can't comment but there is a comment in the request
-                #raise exc.PermissionDenied(_("You don't have permissions to comment this."))
-                return False
-
-        if (not services.user_has_perm(request.user, self.update_perm, project) and
-            len(data_keys - "comment")):
-                # User can't update but there is a change in the request
-                #raise exc.PermissionDenied(_("You don't have permissions to update this."))
-                return False
 
+        if (just_a_comment and services.user_has_perm(request.user, self.comment_perm, project)):
                 return True
+
+        return services.user_has_perm(request.user, self.update_perm, project)

tests/integration/resources_permissions/test_epics_resources.py

@@ -58,7 +58,7 @@ def data():
 
     m.public_project = f.ProjectFactory(is_private=False,
                                         anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_epic"],
                                         owner=m.project_owner,
                                         epics_csv_uuid=uuid.uuid4().hex)
     m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@@ -550,7 +550,7 @@ def test_epic_patch_comment(client, data):
     with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
         patch_data = json.dumps({"comment": "test comment", "version": data.public_epic.version})
         results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]
 
         patch_data = json.dumps({"comment": "test comment", "version": data.private_epic1.version})
         results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)

tests/integration/resources_permissions/test_issues_resources.py

@@ -62,7 +62,7 @@ def data():
 
     m.public_project = f.ProjectFactory(is_private=False,
                                         anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_issue"],
                                         owner=m.project_owner,
                                         issues_csv_uuid=uuid.uuid4().hex)
     m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@@ -592,7 +592,7 @@ def test_issue_patch_comment(client, data):
     with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
         patch_data = json.dumps({"comment": "test comment", "version": data.public_issue.version})
         results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]
 
         patch_data = json.dumps({"comment": "test comment", "version": data.private_issue1.version})
         results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)

tests/integration/resources_permissions/test_tasks_resources.py

@@ -58,7 +58,7 @@ def data():
 
     m.public_project = f.ProjectFactory(is_private=False,
                                         anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_task"],
                                         owner=m.project_owner,
                                         tasks_csv_uuid=uuid.uuid4().hex)
     m.public_project = attach_project_extra_info(Project.objects.all()).get(id=m.public_project.id)
@@ -556,7 +556,7 @@ def test_task_patch_comment(client, data):
     with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
         patch_data = json.dumps({"comment": "test comment", "version": data.public_task.version})
         results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]
 
         patch_data = json.dumps({"comment": "test comment", "version": data.private_task1.version})
         results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)

tests/integration/resources_permissions/test_userstories_resources.py

@@ -64,7 +64,7 @@ def data():
     m.public_points = f.PointsFactory()
     m.public_project = f.ProjectFactory(is_private=False,
                                         anon_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
-                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)),
+                                        public_permissions=list(map(lambda x: x[0], ANON_PERMISSIONS)) + ["comment_us"],
                                         owner=m.project_owner,
                                         userstories_csv_uuid=uuid.uuid4().hex,
                                         default_points=m.public_points)
@@ -544,7 +544,7 @@ def test_user_story_patch_comment(client, data):
     with mock.patch.object(OCCResourceMixin, "_validate_and_update_version"):
         patch_data = json.dumps({"comment": "test comment", "version": data.public_user_story.version})
         results = helper_test_http_method(client, 'patch', public_url, patch_data, users)
-        assert results == [401, 403, 403, 200, 200]
+        assert results == [401, 200, 200, 200, 200]
 
         patch_data = json.dumps({"comment": "test comment", "version": data.private_user_story1.version})
         results = helper_test_http_method(client, 'patch', private_url1, patch_data, users)