
<p></p>

<p><b>@tomhughes</b> requested changes on this pull request.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367704048">app/controllers/api/user_blocks_controller.rb</a>:</p>

<pre style='color:#555'>> @@ -14,5 +16,30 @@ def show

     rescue ActiveRecord::RecordNotFound

       raise OSM::APINotFoundError

     end

+

+    def create

+      raise OSM::APIBadUserInput, "No user was given" unless params[:user]

+

+      user = User.visible.find_by(:id => params[:user])

+      raise OSM::APINotFoundError unless user

+      raise OSM::APIBadUserInput, "No reason was given" unless params[:reason]

+      raise OSM::APIBadUserInput, "No period was given" unless params[:period]

+

+      period = Integer(params[:period], :exception => false)

+      raise OSM::APIBadUserInput, "Period one is in a wrong format" unless period

</pre>

<p dir="auto">I'm not sure what <code class="notranslate">one</code> is referring to in this message? It should also be <code class="notranslate">the wrong format</code> but overall I'd probably replace the whole thing with something like <code class="notranslate">Period should be a number of hours</code>.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367704875">test/controllers/api/user_blocks_controller_test.rb</a>:</p>

<pre style='color:#555'>> +      post api_user_blocks_path(:user => blocked_user.id, :reason => "because", :period => 1), :headers => auth_header

+      assert_response :not_found

+      assert_equal "text/plain", @response.media_type

+

+      assert_empty blocked_user.blocks

+    end

+

+    [

+      ["missing reason", "No reason was given", { :period => "10" }],

+      ["missing period", "No period was given", { :reason => "because" }],

+      ["non-numeric period", "Period one is in a wrong format", { :reason => "because", :period => "one" }],

+      ["negative period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "-1" }],

+      ["excessive period", "Period must be between 0 and #{UserBlock::PERIODS.max}", { :reason => "go away", :period => "10000000" }],

+      ["unknown needs_view", "Needs_view must be true if provided", { :reason => "because", :period => "1", :needs_view => "maybe" }]

+    ].each do |name, message, params|

+      test "create invalid because #{name}" do

</pre>

<p dir="auto">I'm not sure I like this - yes it's valid ruby but it strikes me as a bit too clever for it's own good.</p>

<p dir="auto">What I would probably have done is put the body of the text in a private method and then write each test method just to invoke the private method with the right arguments. It's not quite as concise as this but I think it's probably easier to read and understand.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705397">test/controllers/api/user_blocks_controller_test.rb</a>:</p>

<pre style='color:#555'>> +      assert_predicate block, :active?

+      assert_equal "because", block.reason

+      assert_equal creator_user, block.creator

+

+      assert_equal "application/xml", @response.media_type

+      assert_select "osm>user_block", 1

+      assert_select "osm>user_block>@id", block.id.to_s

+      assert_select "osm>user_block>@needs_view", "false"

+      assert_select "osm>user_block>user", 1

+      assert_select "osm>user_block>user>@uid", blocked_user.id.to_s

+      assert_select "osm>user_block>creator", 1

+      assert_select "osm>user_block>creator>@uid", creator_user.id.to_s

+      assert_select "osm>user_block>revoker", 0

+      assert_select "osm>user_block>reason", 1

+      assert_select "osm>user_block>reason", "because"

+    end

</pre>

<p dir="auto">You can nest these rather than keep repeating the same path prefix, so do something like:</p>

<div class="highlight highlight-source-ruby" dir="auto"><pre class="notranslate"><span class="pl-en">assert_select</span> <span class="pl-s">"osm>user_block"</span><span class="pl-kos">,</span> <span class="pl-c1">1</span> <span class="pl-k">do</span>

   <span class="pl-en">assert_select</span> <span class="pl-s">"@id"</span><span class="pl-kos">,</span> <span class="pl-en">block</span><span class="pl-kos">.</span><span class="pl-en">id</span><span class="pl-kos">.</span><span class="pl-en">to_s</span>

   ...

<span class="pl-k">end</span></pre></div>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705506">test/controllers/api/user_blocks_controller_test.rb</a>:</p>

<pre style='color:#555'>>  

       get api_user_block_path(:id => block)

       assert_response :success

-      assert_select "user_block[id='#{block.id}']", 1

+      assert_select "osm>user_block", 1

+      assert_select "osm>user_block>@id", block.id.to_s

+      assert_select "osm>user_block>user", 1

+      assert_select "osm>user_block>user>@uid", blocked_user.id.to_s

+      assert_select "osm>user_block>creator", 1

+      assert_select "osm>user_block>creator>@uid", creator_user.id.to_s

+      assert_select "osm>user_block>revoker", 0

+      assert_select "osm>user_block>reason", 1

+      assert_select "osm>user_block>reason", "because running tests"

</pre>

<p dir="auto">See previous comment about nesting selects.</p>


<hr>


<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#discussion_r1367705274">lib/oauth.rb</a>:</p>

<pre style='color:#555'>> @@ -1,7 +1,7 @@

 module Oauth

   SCOPES = %w[read_prefs write_prefs write_diary write_api read_gpx write_gpx write_notes].freeze

   PRIVILEGED_SCOPES = %w[read_email skip_authorization].freeze

-  OAUTH2_SCOPES = %w[openid].freeze

+  OAUTH2_SCOPES = %w[write_blocks openid].freeze

</pre>

<p dir="auto">I'm not bothered about this - you still need to be a moderator to actually apply blocks so there's no real security issue. If DWG think it's important for the reasons <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/users/mmd-osm/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="https://github.com/mmd-osm">@mmd-osm</a> mentions then fine.</p>

<p dir="auto">If we do want to restrict it then we'll need to add a new concept of scopes that moderators can use as the current privileged scopes are restricted to administrators only.</p>


<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLOOOWSV2GM5UJM2DJLYAOPHXAVCNFSM6AAAAAA6I5FK4GVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTMOJRGIZDSMRRGM">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/AAK2OLM2JGPCIMUUGJRSZ2TYAOPHXA5CNFSM6AAAAAA6I5FK4GWGG33NNVSW45C7OR4XAZNRKB2WY3CSMVYXKZLTORJGK5TJMV32UY3PNVWWK3TUL5UWJTTEZYOB2.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><openstreetmap/openstreetmap-website/pull/4301/review/1691229213</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213",

"url": "https://github.com/openstreetmap/openstreetmap-website/pull/4301#pullrequestreview-1691229213",

"name": "View Pull Request"

},

"description": "View this Pull Request on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>