Added 'View comments' and 'Reply to item' permission to discussion (#1327)

* Added 'View comments' and 'Reply to item' permission to discussion

* Changelog

* Black format

* Use permissions from plone.app.discussion for discussion endpoints

* Revert use of permissions from plone.app.discussion

* Update tests

* Update tests

* Update tests

* Use permissions from plone.app.discussion for update and delete

Co-authored-by: Alin Voinea <contact@avoinea.com>

Author: razvanMiu

news/1327.feature

@@ -0,0 +1 @@
+- Added 'View comments' and 'Reply to item' permission to discussion [@razvanMiu]

src/plone/restapi/serializer/discussion.py

@@ -5,7 +5,9 @@
 from plone.restapi.interfaces import ISerializeToJson
 from plone.restapi.services.discussion.utils import can_delete
 from plone.restapi.services.discussion.utils import can_delete_own
+from plone.restapi.services.discussion.utils import can_view
 from plone.restapi.services.discussion.utils import can_edit
+from plone.restapi.services.discussion.utils import can_reply
 from plone.restapi.services.discussion.utils import delete_own_comment_allowed
 from plone.restapi.services.discussion.utils import edit_comment_allowed
 from Products.CMFCore.utils import getToolByName
@@ -24,20 +26,29 @@ def __init__(self, context, request):
 
     def __call__(self):
         # We'll batch the threads
+        view_comments = can_view(self.context)
         results = list(self.context.getThreads())
         batch = HypermediaBatch(self.request, results)
 
         results = {}
         results["@id"] = batch.canonical_url
 
         results["items_total"] = batch.items_total
+        results["permissions"] = {
+            "view_comments": view_comments,
+            "can_reply": can_reply(self.context),
+        }
         if batch.links:
             results["batching"] = batch.links
 
-        results["items"] = [
-            getMultiAdapter((thread["comment"], self.request), ISerializeToJson)()
-            for thread in batch
-        ]
+        results["items"] = (
+            [
+                getMultiAdapter((thread["comment"], self.request), ISerializeToJson)()
+                for thread in batch
+            ]
+            if view_comments
+            else []
+        )
 
         return results
 
@@ -87,6 +98,7 @@ def __call__(self, include_items=True):
             ),  # noqa
             "is_editable": edit_comment_allowed() and can_edit(self.context),
             "is_deletable": can_delete(self.context) or delete_own,
+            "can_reply": can_reply(self.context),
         }
 
     def get_author_image(self, username=None):

src/plone/restapi/services/discussion/configure.zcml

@@ -35,15 +35,15 @@
       method="PATCH"
       factory=".conversation.CommentsUpdate"
       for="*"
-      permission="zope2.View"
+      permission="plone.app.discussion.EditComments"
       name="@comments"
       />
 
   <plone:service
       method="DELETE"
       factory=".conversation.CommentsDelete"
       for="*"
-      permission="zope2.View"
+      permission="plone.app.discussion.DeleteComments"
       name="@comments"
       />
 

src/plone/restapi/services/discussion/utils.py

@@ -28,13 +28,27 @@ def permission_exists(permission_id):
     return permission is not None
 
 
+def can_view(context):
+    """Returns true if current user has the 'View comments' permission."""
+    if not permission_exists("plone.app.discussion.ViewComments"):
+        return bool(getSecurityManager().checkPermission("View", context))
+    return bool(getSecurityManager().checkPermission("View comments", context))
+
+
 def can_review(comment):
     """Returns true if current user has the 'Review comments' permission."""
     return bool(
         getSecurityManager().checkPermission("Review comments", aq_inner(comment))
     )
 
 
+def can_reply(comment):
+    """Returns true if current user has the 'Reply to item' permission."""
+    return bool(
+        getSecurityManager().checkPermission("Reply to item", aq_inner(comment))
+    )
+
+
 def can_delete(comment):
     """Returns true if current user has the 'Delete comments'
     permission.

src/plone/restapi/tests/http-examples/comments_get.resp

@@ -11,6 +11,7 @@ Content-Type: application/json
             "author_image": null,
             "author_name": null,
             "author_username": null,
+            "can_reply": true,
             "comment_id": "1400000000000000",
             "creation_date": "1995-07-31T13:45:00",
             "in_reply_to": null,
@@ -30,6 +31,7 @@ Content-Type: application/json
             "author_image": null,
             "author_name": null,
             "author_username": null,
+            "can_reply": true,
             "comment_id": "1400000000000001",
             "creation_date": "1995-07-31T13:45:00",
             "in_reply_to": "1400000000000000",
@@ -43,5 +45,9 @@ Content-Type: application/json
             "user_notification": null
         }
     ],
-    "items_total": 2
+    "items_total": 2,
+    "permissions": {
+        "can_reply": true,
+        "view_comments": true
+    }
 }

src/plone/restapi/tests/test_comments.py

@@ -57,7 +57,7 @@ def test_conversation(self):
         )
 
         output = serializer()
-        self.assertEqual(set(output), {"@id", "items_total", "items"})
+        self.assertEqual(set(output), {"@id", "permissions", "items_total", "items"})
 
     def test_conversation_batched(self):
         self.request.form["b_size"] = 1
@@ -88,6 +88,7 @@ def test_comment(self):
             "modification_date",
             "is_editable",
             "is_deletable",
+            "can_reply",
         ]
         self.assertEqual(set(output), set(expected))
 

src/plone/restapi/tests/test_services_comments.py

@@ -62,7 +62,7 @@ def test_list_datastructure(self):
 
         self.assertEqual(200, response.status_code)
         data = response.json()
-        self.assertEqual({"items_total", "items", "@id"}, set(data))
+        self.assertEqual({"items_total", "items", "permissions", "@id"}, set(data))
 
     def test_list_batching(self):
         url = f"{self.doc.absolute_url()}/@comments"