<p></p>
<p><b>@tomhughes</b> requested changes on this pull request.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367704048">app/controllers/api/user_blocks_controller.rb</a>:</p>
<pre style='color:#555'>> @@ -14,5 +16,30 @@ def show
rescue ActiveRecord::RecordNotFound
raise OSM::APINotFoundError
end
+
+ def create
+ raise OSM::APIBadUserInput, "No user was given" unless params[:user]
+
+ user = User.visible.find_by(:id => params[:user])
+ raise OSM::APINotFoundError unless user
+ raise OSM::APIBadUserInput, "No reason was given" unless params[:reason]
+ raise OSM::APIBadUserInput, "No period was given" unless params[:period]
+
+ period = Integer(params[:period], :exception => false)
+ raise OSM::APIBadUserInput, "Period one is in a wrong format" unless period
</pre>
<p dir="auto">I'm not sure what <code class="notranslate">one</code> is referring to in this message? It should also be <code class="notranslate">the wrong format</code> but overall I'd probably replace the whole thing with something like <code class="notranslate">Period should be a number of hours</code>.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367704875">test/controllers/api/user_blocks_controller_test.rb</a>:</p>
<pre style='color:#555'>> + post api_user_blocks_path(:user => blocked_user.id, :reason => "because", :period => 1), :headers => auth_header
+ assert_response :not_found
+ assert_equal "text/plain", @response.media_type
+
+ assert_empty blocked_user.blocks
+ end
+
+ [
+ ["missing reason", "No reason was given", { :period => "10" }],
+ ["missing period", "No period was given", { :reason => "because" }],
+ ["non-numeric period", "Period one is in a wrong format", { :reason => "because", :period => "one" }],
+ ["negative period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "-1" }],
+ ["excessive period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "10000000" }],
+ ["unknown needs_view", "Needs_view must be true if provided", { :reason => "because", :period => "1", :needs_view => "maybe" }]
+ ].each do |name, message, params|
+ test "create invalid because #{name}" do
</pre>
<p dir="auto">I'm not sure I like this - yes it's valid ruby but it strikes me as a bit too clever for it's own good.</p>
<p dir="auto">What I would probably have done is put the body of the text in a private method and then write each test method just to invoke the private method with the right arguments. It's not quite as concise as this but I think it's probably easier to read and understand.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705397">test/controllers/api/user_blocks_controller_test.rb</a>:</p>
<pre style='color:#555'>> + assert_predicate block, :active?
+ assert_equal "because", block.reason
+ assert_equal creator_user, block.creator
+
+ assert_equal "application/xml", @response.media_type
+ assert_select "osm>user_block", 1
+ assert_select "osm>user_block>@id", block.id.to_s
+ assert_select "osm>user_block>@needs_view", "false"
+ assert_select "osm>user_block>user", 1
+ assert_select "osm>user_block>user>@uid", blocked_user.id.to_s
+ assert_select "osm>user_block>creator", 1
+ assert_select "osm>user_block>creator>@uid", creator_user.id.to_s
+ assert_select "osm>user_block>revoker", 0
+ assert_select "osm>user_block>reason", 1
+ assert_select "osm>user_block>reason", "because"
+ end
</pre>
<p dir="auto">You can nest these rather than keep repeating the same path prefix, so do something like:</p>
<div class="highlight highlight-source-ruby" dir="auto"><pre class="notranslate"><span class="pl-en">assert_select</span> <span class="pl-s">"osm>user_block"</span><span class="pl-kos">,</span> <span class="pl-c1">1</span> <span class="pl-k">do</span>
<span class="pl-en">assert_select</span> <span class="pl-s">"@id"</span><span class="pl-kos">,</span> <span class="pl-en">block</span><span class="pl-kos">.</span><span class="pl-en">id</span><span class="pl-kos">.</span><span class="pl-en">to_s</span>
...
<span class="pl-k">end</span></pre></div>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705506">test/controllers/api/user_blocks_controller_test.rb</a>:</p>
<pre style='color:#555'>>
get api_user_block_path(:id => block)
assert_response :success
- assert_select "user_block[id='#{block.id}']", 1
+ assert_select "osm>user_block", 1
+ assert_select "osm>user_block>@id", block.id.to_s
+ assert_select "osm>user_block>user", 1
+ assert_select "osm>user_block>user>@uid", blocked_user.id.to_s
+ assert_select "osm>user_block>creator", 1
+ assert_select "osm>user_block>creator>@uid", creator_user.id.to_s
+ assert_select "osm>user_block>revoker", 0
+ assert_select "osm>user_block>reason", 1
+ assert_select "osm>user_block>reason", "because running tests"
</pre>
<p dir="auto">See previous comment about nesting selects.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705274">lib/oauth.rb</a>:</p>
<pre style='color:#555'>> @@ -1,7 +1,7 @@
module Oauth
SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze
PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze
- OAUTH2_SCOPES = %w[openid].freeze
+ OAUTH2_SCOPES = %w[write_blocks openid].freeze
</pre>
<p dir="auto">I'm not bothered about this - you still need to be a moderator to actually apply blocks so there's no real security issue. If DWG think it's important for the reasons <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mmd-osm/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/mmd-osm">@mmd-osm</a> mentions then fine.</p>
<p dir="auto">If we do want to restrict it then we'll need to add a new concept of scopes that moderators can use as the current privileged scopes are restricted to administrators only.</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLOOOWSV2GM5UJM2DJLYAOPHXAVCNFSM6AAAAAA6I5FK4GVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTMOJRGIZDSMRRGM">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLM2JGPCIMUUGJRSZ2TYAOPHXA5CNFSM6AAAAAA6I5FK4GWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTEZYOB2.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4301/review/1691229213</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>