API: Built out tests for comment API endpoints

ssddanbrown · ssddanbrown · commit fcacf7cacbea · 2025-10-23T16:52:29.000+01:00
diff --git a/app/Activity/CommentRepo.php b/app/Activity/CommentRepo.php
@@ -50,8 +50,8 @@ public function create(Entity $entity, string $html, ?int $parentId, string $con
         // Validate parent ID
         if ($parentId !== null) {
             $parentCommentExists = Comment::query()
-                ->where('entity_id', '=', $entity->id)
-                ->where('entity_type', '=', $entity->getMorphClass())
+                ->where('commentable_id', '=', $entity->id)
+                ->where('commentable_type', '=', $entity->getMorphClass())
                 ->where('local_id', '=', $parentId)
                 ->exists();
             if (!$parentCommentExists) {
diff --git a/app/Activity/Controllers/CommentApiController.php b/app/Activity/Controllers/CommentApiController.php
@@ -23,9 +23,6 @@ class CommentApiController extends ApiController
 {
     // TODO - Add tree-style comment listing to page-show responses.
 
-    // TODO - Test visibility controls
-    // TODO - Test permissions of each action
-
     protected array $rules = [
         'create' => [
             'page_id' => ['required', 'integer'],
@@ -34,7 +31,7 @@ class CommentApiController extends ApiController
             'content_ref' => ['string'],
         ],
         'update' => [
-            'html' => ['required', 'string'],
+            'html' => ['string'],
             'archived' => ['boolean'],
         ]
     ];
@@ -85,6 +82,7 @@ public function create(Request $request): JsonResponse
     public function read(string $id): JsonResponse
     {
         $comment = $this->commentRepo->getVisibleById(intval($id));
+        $comment->load('createdBy', 'updatedBy');
 
         $replies = $this->commentRepo->getQueryForVisible()
             ->where('parent_id', '=', $comment->local_id)
@@ -117,17 +115,19 @@ public function update(Request $request, string $id): JsonResponse
         $this->checkOwnablePermission(Permission::CommentUpdate, $comment);
 
         $input = $this->validate($request, $this->rules()['update']);
+        $hasHtml = isset($input['html']);
 
         if (isset($input['archived'])) {
-            $archived = $input['archived'];
-            if ($archived) {
-                $this->commentRepo->archive($comment, false);
+            if ($input['archived']) {
+                $this->commentRepo->archive($comment, !$hasHtml);
             } else {
-                $this->commentRepo->unarchive($comment, false);
+                $this->commentRepo->unarchive($comment, !$hasHtml);
             }
         }
 
-        $comment = $this->commentRepo->update($comment, $input['html']);
+        if ($hasHtml) {
+            $comment = $this->commentRepo->update($comment, $input['html']);
+        }
 
         return response()->json($comment);
     }
diff --git a/app/Activity/Models/Comment.php b/app/Activity/Models/Comment.php
@@ -41,7 +41,7 @@ class Comment extends Model implements Loggable, OwnableInterface
      */
     public function entity(): MorphTo
     {
-        return $this->morphTo('entity');
+        return $this->morphTo('commentable');
     }
 
     /**
diff --git a/tests/Activity/CommentsApiTest.php b/tests/Activity/CommentsApiTest.php
@@ -2,8 +2,8 @@
 
 namespace Activity;
 
-use BookStack\Activity\ActivityType;
-use BookStack\Facades\Activity;
+use BookStack\Activity\Models\Comment;
+use BookStack\Permissions\Permission;
 use Tests\Api\TestsApi;
 use Tests\TestCase;
 
@@ -13,31 +13,238 @@ class CommentsApiTest extends TestCase
 
     public function test_endpoint_permission_controls()
     {
-        // TODO
+        $user = $this->users->editor();
+        $this->permissions->grantUserRolePermissions($user, [Permission::CommentDeleteAll, Permission::CommentUpdateAll]);
+
+        $page = $this->entities->page();
+        $comment = Comment::factory()->make();
+        $page->comments()->save($comment);
+        $this->actingAsForApi($user);
+
+        $actions = [
+            ['GET', '/api/comments'],
+            ['GET', "/api/comments/{$comment->id}"],
+            ['POST', "/api/comments"],
+            ['PUT', "/api/comments/{$comment->id}"],
+            ['DELETE', "/api/comments/{$comment->id}"],
+        ];
+
+        foreach ($actions as [$method, $endpoint]) {
+            $resp = $this->call($method, $endpoint);
+            $this->assertNotPermissionError($resp);
+        }
+
+        $comment = Comment::factory()->make();
+        $page->comments()->save($comment);
+        $this->getJson("/api/comments")->assertSee(['id' => $comment->id]);
+
+        $this->permissions->removeUserRolePermissions($user, [
+            Permission::CommentDeleteAll, Permission::CommentDeleteOwn,
+            Permission::CommentUpdateAll, Permission::CommentUpdateOwn,
+            Permission::CommentCreateAll
+        ]);
+
+        $this->assertPermissionError($this->json('delete', "/api/comments/{$comment->id}"));
+        $this->assertPermissionError($this->json('put', "/api/comments/{$comment->id}"));
+        $this->assertPermissionError($this->json('post', "/api/comments"));
+        $this->assertNotPermissionError($this->json('get', "/api/comments/{$comment->id}"));
+
+        $this->permissions->disableEntityInheritedPermissions($page);
+        $this->json('get', "/api/comments/{$comment->id}")->assertStatus(404);
+        $this->getJson("/api/comments")->assertDontSee(['id' => $comment->id]);
     }
 
     public function test_index()
     {
-        // TODO
+        $page = $this->entities->page();
+        Comment::query()->delete();
+
+        $comments = Comment::factory()->count(10)->make();
+        $page->comments()->saveMany($comments);
+
+        $firstComment = $comments->first();
+        $resp = $this->actingAsApiEditor()->getJson('/api/comments');
+        $resp->assertJson([
+            'data' => [
+                [
+                    'id' => $firstComment->id,
+                    'commentable_id' => $page->id,
+                    'commentable_type' => 'page',
+                    'parent_id' => null,
+                    'local_id' => $firstComment->local_id,
+                ],
+            ],
+        ]);
+        $resp->assertJsonCount(10, 'data');
+        $resp->assertJson(['total' => 10]);
+
+        $filtered = $this->getJson("/api/comments?filter[id]={$firstComment->id}");
+        $filtered->assertJsonCount(1, 'data');
+        $filtered->assertJson(['total' => 1]);
     }
 
     public function test_create()
     {
-        // TODO
+        $page = $this->entities->page();
+
+        $resp = $this->actingAsApiEditor()->postJson('/api/comments', [
+            'page_id' => $page->id,
+            'html' => '<p>My wonderful comment</p>',
+            'content_ref' => 'test-content-ref',
+        ]);
+        $resp->assertOk();
+        $id = $resp->json('id');
+
+        $this->assertDatabaseHas('comments', [
+            'id' => $id,
+            'commentable_id' => $page->id,
+            'commentable_type' => 'page',
+            'html' => '<p>My wonderful comment</p>',
+        ]);
+
+        $comment = Comment::query()->findOrFail($id);
+        $this->assertIsInt($comment->local_id);
+
+        $reply = $this->actingAsApiEditor()->postJson('/api/comments', [
+            'page_id' => $page->id,
+            'html' => '<p>My wonderful reply</p>',
+            'content_ref' => 'test-content-ref',
+            'reply_to' => $comment->local_id,
+        ]);
+        $reply->assertOk();
+
+        $this->assertDatabaseHas('comments', [
+            'id' => $reply->json('id'),
+            'commentable_id' => $page->id,
+            'commentable_type' => 'page',
+            'html' => '<p>My wonderful reply</p>',
+            'parent_id' => $comment->local_id,
+        ]);
     }
 
     public function test_read()
     {
-        // TODO
+        $page = $this->entities->page();
+        $user = $this->users->viewer();
+        $comment = Comment::factory()->make([
+            'html' => '<p>A lovely comment <script>hello</script></p>',
+            'created_by' => $user->id,
+            'updated_by' => $user->id,
+        ]);
+        $page->comments()->save($comment);
+        $comment->refresh();
+        $reply = Comment::factory()->make([
+            'parent_id' => $comment->local_id,
+            'html' => '<p>A lovely<script>angry</script>reply</p>',
+        ]);
+        $page->comments()->save($reply);
+
+        $resp = $this->actingAsApiEditor()->getJson("/api/comments/{$comment->id}");
+        $resp->assertJson([
+            'id' => $comment->id,
+            'commentable_id' => $page->id,
+            'commentable_type' => 'page',
+            'html' => '<p>A lovely comment </p>',
+            'archived' => false,
+            'created_by' => [
+                'id' => $user->id,
+                'name' => $user->name,
+            ],
+            'updated_by' => [
+                'id' => $user->id,
+                'name' => $user->name,
+            ],
+            'replies' => [
+                [
+                    'id' => $reply->id,
+                    'html' => '<p>A lovelyreply</p>'
+                ]
+            ]
+        ]);
     }
 
     public function test_update()
     {
-        // TODO
+        $page = $this->entities->page();
+        $user = $this->users->editor();
+        $this->permissions->grantUserRolePermissions($user, [Permission::CommentUpdateAll]);
+        $comment = Comment::factory()->make([
+            'html' => '<p>A lovely comment</p>',
+            'created_by' => $this->users->viewer()->id,
+            'updated_by' => $this->users->viewer()->id,
+            'parent_id' => null,
+        ]);
+        $page->comments()->save($comment);
+
+        $this->actingAsForApi($user)->putJson("/api/comments/{$comment->id}", [
+           'html' => '<p>A lovely updated comment</p>',
+        ])->assertOk();
+
+        $this->assertDatabaseHas('comments', [
+            'id' => $comment->id,
+            'html' => '<p>A lovely updated comment</p>',
+            'archived' => 0,
+        ]);
+
+        $this->putJson("/api/comments/{$comment->id}", [
+            'archived' => true,
+        ]);
+
+        $this->assertDatabaseHas('comments', [
+            'id' => $comment->id,
+            'html' => '<p>A lovely updated comment</p>',
+            'archived' => 1,
+        ]);
+
+        $this->putJson("/api/comments/{$comment->id}", [
+            'archived' => false,
+            'html' => '<p>A lovely updated again comment</p>',
+        ]);
+
+        $this->assertDatabaseHas('comments', [
+            'id' => $comment->id,
+            'html' => '<p>A lovely updated again comment</p>',
+            'archived' => 0,
+        ]);
+    }
+
+    public function test_update_cannot_archive_replies()
+    {
+        $page = $this->entities->page();
+        $user = $this->users->editor();
+        $this->permissions->grantUserRolePermissions($user, [Permission::CommentUpdateAll]);
+        $comment = Comment::factory()->make([
+            'html' => '<p>A lovely comment</p>',
+            'created_by' => $this->users->viewer()->id,
+            'updated_by' => $this->users->viewer()->id,
+            'parent_id' => 90,
+        ]);
+        $page->comments()->save($comment);
+
+        $resp = $this->actingAsForApi($user)->putJson("/api/comments/{$comment->id}", [
+            'archived' => true,
+        ]);
+
+        $this->assertEquals($this->errorResponse('Only top-level comments can be archived.', 400), $resp->json());
+        $this->assertDatabaseHas('comments', [
+            'id' => $comment->id,
+            'archived' => 0,
+        ]);
     }
 
     public function test_destroy()
     {
-        // TODO
+        $page = $this->entities->page();
+        $user = $this->users->editor();
+        $this->permissions->grantUserRolePermissions($user, [Permission::CommentDeleteAll]);
+        $comment = Comment::factory()->make([
+            'html' => '<p>A lovely comment</p>',
+        ]);
+        $page->comments()->save($comment);
+
+        $this->actingAsForApi($user)->deleteJson("/api/comments/{$comment->id}")->assertStatus(204);
+        $this->assertDatabaseMissing('comments', [
+            'id' => $comment->id,
+        ]);
     }
 }
diff --git a/tests/TestCase.php b/tests/TestCase.php
@@ -199,7 +199,7 @@ private function isPermissionError($response): bool
     {
         if ($response->status() === 403 && $response instanceof JsonResponse) {
             $errMessage = $response->getData(true)['error']['message'] ?? '';
-            return $errMessage === 'You do not have permission to perform the requested action.';
+            return str_contains($errMessage, 'do not have permission');
         }
 
         return $response->status() === 302

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ class Comment extends Model implements Loggable, OwnableInterface`
`41`	`41`	`*/`
`42`	`42`	`public function entity(): MorphTo`
`43`	`43`	`{`
`44`		`- return $this->morphTo('entity');`
	`44`	`+ return $this->morphTo('commentable');`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,7 @@ private function isPermissionError($response): bool`
`199`	`199`	`{`
`200`	`200`	`if ($response->status() === 403 && $response instanceof JsonResponse) {`
`201`	`201`	`$errMessage = $response->getData(true)['error']['message'] ?? '';`
`202`		`- return $errMessage === 'You do not have permission to perform the requested action.';`
	`202`	`+ return str_contains($errMessage, 'do not have permission');`
`203`	`203`	`}`
`204`	`204`
`205`	`205`	`return $response->status() === 302`