feat: allow commenting by regular users when posting media requires a…

…dvanced permissions (#1023)
mediacms-io · Oct 2, 2024 · 90e5939 · 90e5939
1 parent f7136e2
commit 90e5939
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/cms/permissions.py b/cms/permissions.py
@@ -11,6 +11,13 @@ def has_permission(self, request, view):
         return user_allowed_to_upload(request)
 
 
+class IsAuthorizedToAddComment(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        return user_allowed_to_comment(request)
+
+
 class IsUserOrManager(permissions.BasePermission):
     """To be used in cases where request.user is either the
     object owner, or anyone amongst MediaCMS managers
@@ -66,3 +73,24 @@ def user_allowed_to_upload(request):
         if request.user.advancedUser:
             return True
     return False
+
+
+def user_allowed_to_comment(request):
+    """Any custom logic for whether a user is allowed
+    to comment lives here
+    """
+    if request.user.is_anonymous:
+        return False
+    if request.user.is_superuser:
+        return True
+
+    # Default is "all"
+    if not hasattr(settings, "CAN_COMMENT") or settings.CAN_COMMENT == "all":
+        return True
+    elif settings.CAN_COMMENT == "email_verified":
+        if request.user.email_is_verified:
+            return True
+    elif settings.CAN_COMMENT == "advancedUser":
+        if request.user.advancedUser:
+            return True
+    return False
diff --git a/cms/settings.py b/cms/settings.py
@@ -15,6 +15,10 @@
 # valid options include 'all', 'email_verified', 'advancedUser'
 CAN_ADD_MEDIA = "all"
 
+# who can comment
+# valid options include 'all', 'email_verified', 'advancedUser'
+CAN_COMMENT = "all"
+
 # valid choices here are 'public', 'private', 'unlisted
 PORTAL_WORKFLOW = "public"
 

diff --git a/files/views.py b/files/views.py
@@ -24,7 +24,12 @@
 
 from actions.models import USER_MEDIA_ACTIONS, MediaAction
 from cms.custom_pagination import FastPaginationWithoutCount
-from cms.permissions import IsAuthorizedToAdd, IsUserOrEditor, user_allowed_to_upload
+from cms.permissions import (
+    IsAuthorizedToAdd,
+    IsAuthorizedToAddComment,
+    IsUserOrEditor,
+    user_allowed_to_upload,
+)
 from users.models import User
 
 from .forms import ContactForm, MediaForm, SubtitleForm
@@ -1204,7 +1209,7 @@ class CommentDetail(APIView):
     Delete comment (DELETE)
     """
 
-    permission_classes = (IsAuthorizedToAdd,)
+    permission_classes = (IsAuthorizedToAddComment,)
     parser_classes = (JSONParser, MultiPartParser, FormParser, FileUploadParser)
 
     def get_object(self, friendly_token):