Merge branch 'main' into feat/add-max-reaction

Author: maboukerfa

CHANGELOG.md

@@ -19,6 +19,7 @@ and this project adheres to
 - ♿️(frontend) make doc search result labels uniquely identifiable #2212
 - ⬆️(backend) upgrade docspec to v3.0.x and adapt converter API #2220
 - ✨(backend) make forward auth request uri header configurable #2241
+- ♿️(frontend) fix sidebar resize handle for screen readers #2122
 
 ### Fixed
 
@@ -29,6 +30,8 @@ and this project adheres to
 - 🐛(frontend) fix interlinking modal clipping #2213
 - 🛂(frontend) fix cannot manage member on small screen #2226
 - 🐛(backend) load jwks url when OIDC_RS_PRIVATE_KEY_STR is set
+- 🐛(backend) Prevent moving document to its own descendant or self #2208
+- 🐛(backend) return 400 when restoring a non-deleted document #2225
 
 ### Removed
 
@@ -202,6 +205,7 @@ and this project adheres to
 
 ### Fixed
 
+- 🐛(backend) enforce emoji validation for reactions #1965
 - 🐛(frontend) analytic feature flags problem #1953
 - 🐛(frontend) fix home collapsing panel #1954
 - 🐛(frontend) fix disabled color on icon Dropdown #1950

src/backend/core/api/serializers.py

@@ -13,6 +13,7 @@
 from django.utils.text import slugify
 from django.utils.translation import gettext_lazy as _
 
+import emoji
 import magic
 from rest_framework import serializers
 
@@ -875,6 +876,12 @@ class Meta:
         ]
         read_only_fields = ["id", "created_at", "users"]
 
+    def validate_emoji(self, value):
+        """Ensure the reaction is a single emoji."""
+        if not emoji.is_emoji(value):
+            raise serializers.ValidationError("Reaction must be a single valid emoji.")
+        return value
+
 
 class CommentSerializer(serializers.ModelSerializer):
     """Serialize comments (nested under a thread) with reactions and abilities."""

src/backend/core/api/viewsets.py

@@ -44,6 +44,7 @@
 from rest_framework import response as drf_response
 from rest_framework.permissions import AllowAny
 from rest_framework.views import APIView
+from treebeard.exceptions import InvalidMoveToDescendant
 
 from core import authentication, choices, enums, models
 from core.api.filters import remove_accents
@@ -961,7 +962,13 @@ def move(self, request, *args, **kwargs):
                 status=status.HTTP_400_BAD_REQUEST,
             )
 
-        document.move(target_document, pos=position)
+        try:
+            document.move(target_document, pos=position)
+        except InvalidMoveToDescendant:
+            return drf.response.Response(
+                {"target_document_id": "Cannot move a document to its own descendant."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
 
         # Make sure we have at least one owner
         if (
@@ -989,7 +996,10 @@ def restore(self, request, *args, **kwargs):
         Restore a soft-deleted document if it was deleted less than x days ago.
         """
         document = self.get_object()
-        document.restore()
+        try:
+            document.restore()
+        except RuntimeError as err:
+            raise drf.exceptions.ValidationError({"detail": str(err)}) from err
 
         return drf_response.Response(
             {"detail": "Document has been successfully restored."},
@@ -2268,7 +2278,7 @@ def cors_proxy(self, request, *args, **kwargs):
         GET /api/v1.0/documents/<resource_id>/cors-proxy
         Act like a proxy to fetch external resources and bypass CORS restrictions.
         """
-        url = request.query_params.get("url")
+        url = request.query_params.get("url", "").strip()
         if not url:
             return drf.response.Response(
                 {"detail": "Missing 'url' query parameter"},

src/backend/core/factories.py

@@ -231,9 +231,10 @@ class ReactionFactory(factory.django.DjangoModelFactory):
 
     class Meta:
         model = models.Reaction
+        skip_postgeneration_save = True
 
     comment = factory.SubFactory(CommentFactory)
-    emoji = "test"
+    emoji = factory.Faker("emoji")
 
     @classmethod
     def generate_emojis(cls, n=10):

src/backend/core/tests/documents/test_api_documents_comments.py

@@ -644,11 +644,13 @@ def test_create_reaction_anonymous_user_public_document(link_role):
     document = factories.DocumentFactory(link_reach="public", link_role=link_role)
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 401
 
@@ -664,12 +666,14 @@ def test_create_reaction_authenticated_user_public_document():
     )
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 403
 
@@ -684,17 +688,19 @@ def test_create_reaction_authenticated_user_accessible_public_document():
     )
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 201
 
     assert models.Reaction.objects.filter(
-        comment=comment, emoji="test", users__in=[user]
+        comment=comment, emoji=reaction.emoji, users__in=[user]
     ).exists()
 
 
@@ -709,12 +715,14 @@ def test_create_reaction_authenticated_user_connected_document_link_role_reader(
     )
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 403
 
@@ -737,17 +745,19 @@ def test_create_reaction_authenticated_user_connected_document(link_role):
     )
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 201
 
     assert models.Reaction.objects.filter(
-        comment=comment, emoji="test", users__in=[user]
+        comment=comment, emoji=reaction.emoji, users__in=[user]
     ).exists()
 
 
@@ -760,12 +770,14 @@ def test_create_reaction_authenticated_user_restricted_accessible_document():
     document = factories.DocumentFactory(link_reach="restricted")
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 403
 
@@ -781,12 +793,14 @@ def test_create_reaction_authenticated_user_restricted_accessible_document_role_
     )
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 403
 
@@ -806,28 +820,72 @@ def test_create_reaction_authenticated_user_restricted_accessible_document_role_
     document = factories.DocumentFactory(link_reach="restricted", users=[(user, role)])
     thread = factories.ThreadFactory(document=document)
     comment = factories.CommentFactory(thread=thread)
+    reaction = factories.ReactionFactory(comment=comment)
+
     client = APIClient()
     client.force_login(user)
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 201
 
     assert models.Reaction.objects.filter(
-        comment=comment, emoji="test", users__in=[user]
+        comment=comment, emoji=reaction.emoji, users__in=[user]
     ).exists()
 
     response = client.post(
         f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
         f"comments/{comment.id!s}/reactions/",
-        {"emoji": "test"},
+        {"emoji": reaction.emoji},
     )
     assert response.status_code == 400
     assert response.json() == {"user_already_reacted": True}
 
 
+def test_create_reaction_invalid_emoji():
+    """Users should not be able to submit non-emojis as reactions."""
+    user = factories.UserFactory()
+    document = factories.DocumentFactory(
+        link_reach="restricted", users=[(user, models.RoleChoices.COMMENTER)]
+    )
+    thread = factories.ThreadFactory(document=document)
+    comment = factories.CommentFactory(thread=thread)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
+        f"comments/{comment.id!s}/reactions/",
+        {"emoji": "test"},
+    )
+    assert response.status_code == 400
+    assert "Reaction must be a single valid emoji." in str(response.json())
+
+
+def test_create_reaction_multiple_emojis():
+    """Users should not be able to submit multiple emojis as a single reaction."""
+    user = factories.UserFactory()
+    document = factories.DocumentFactory(
+        link_reach="restricted", users=[(user, models.RoleChoices.COMMENTER)]
+    )
+    thread = factories.ThreadFactory(document=document)
+    comment = factories.CommentFactory(thread=thread)
+
+    client = APIClient()
+    client.force_login(user)
+
+    response = client.post(
+        f"/api/v1.0/documents/{document.id!s}/threads/{thread.id!s}/"
+        f"comments/{comment.id!s}/reactions/",
+        {"emoji": "🐛🐛"},
+    )
+    assert response.status_code == 400
+    assert "Reaction must be a single valid emoji." in str(response.json())
+
+
 # Delete reaction
 
 

src/backend/core/tests/documents/test_api_documents_cors_proxy.py

@@ -55,6 +55,31 @@ def test_api_docs_cors_proxy_valid_url(mock_getaddrinfo):
     assert response.streaming_content
 
 
+@unittest.mock.patch("core.api.viewsets.socket.getaddrinfo")
+@responses.activate
+def test_api_docs_cors_proxy_url_with_surrounding_whitespace(mock_getaddrinfo):
+    """
+    URLs with leading or trailing whitespace must still be proxied successfully,
+    otherwise images whose `src` has stray whitespace are missing from the PDF export.
+    """
+    document = factories.DocumentFactory(link_reach="public")
+
+    # Mock DNS resolution to return a public IP address
+    mock_getaddrinfo.return_value = [
+        (socket.AF_INET, socket.SOCK_STREAM, 0, "", ("8.8.8.8", 0))
+    ]
+
+    client = APIClient()
+    url_to_fetch = "https://external-url.com/assets/logo-gouv.png"
+    responses.get(url_to_fetch, body=b"", status=200, content_type="image/png")
+    response = client.get(
+        f"/api/v1.0/documents/{document.id!s}/cors-proxy/?url=   {url_to_fetch}   "
+    )
+    assert response.status_code == 200
+    assert response.headers["Content-Type"] == "image/png"
+    assert response.streaming_content
+
+
 def test_api_docs_cors_proxy_without_url_query_string():
     """Test the CORS proxy API for documents without a URL query string."""
     document = factories.DocumentFactory(link_reach="public")