Fix bug in spam blocking

Editing a comment such that it matched a blocked hash would cause the API to return 503 but actually update the comment. This is now fixed.

Fix bug in spam blocking
Editing a comment such that it matched a blocked hash would cause the API to return 503 but actually update the comment. This is now fixed.
c58fe354 · Greg Price · c4f5a1f2 · c58fe354 · c58fe354 · c58fe354
Commit c58fe354 authored Jul 01, 2014 by Greg Price
Showing with 23 additions and 12 deletions

api/comment_threads.rb
+2 -2

api/commentables.rb
+1 -1

api/comments.rb
+2 -2

lib/helpers.rb
+2 -2

spec/api/comment_spec.rb
+6 -2

spec/api/comment_thread_spec.rb
+8 -2

spec/api/commentable_spec.rb
+2 -1

No files found.
--- a/api/comment_threads.rb
+++ b/api/comment_threads.rb
@@ -41,8 +41,8 @@ get "#{APIPREFIX}/threads/:thread_id" do |thread_id|
 end

 put "#{APIPREFIX}/threads/:thread_id" do |thread_id|
+  filter_blocked_content params["body"]
  thread.update_attributes(params.slice(*%w[title body closed commentable_id group_id]))
-  filter_blocked_content thread

  if thread.errors.any?
    error 400, thread.errors.full_messages.to_json
@@ -53,12 +53,12 @@ put "#{APIPREFIX}/threads/:thread_id" do |thread_id|
 end

 post "#{APIPREFIX}/threads/:thread_id/comments" do |thread_id|
+  filter_blocked_content params["body"]
  comment = Comment.new(params.slice(*%w[body course_id]))
  comment.anonymous = bool_anonymous || false
  comment.anonymous_to_peers = bool_anonymous_to_peers || false
  comment.author = user
  comment.comment_thread = thread
-  filter_blocked_content comment
  comment.save
  if comment.errors.any?
    error 400, comment.errors.full_messages.to_json

--- a/api/commentables.rb
+++ b/api/commentables.rb
@@ -15,6 +15,7 @@ get "#{APIPREFIX}/:commentable_id/threads" do |commentable_id|
 end

 post "#{APIPREFIX}/:commentable_id/threads" do |commentable_id|
+  filter_blocked_content params["body"]
  thread = CommentThread.new(params.slice(*%w[title body course_id ]).merge(commentable_id: commentable_id))
  thread.anonymous = bool_anonymous || false
  thread.anonymous_to_peers = bool_anonymous_to_peers || false
@@ -24,7 +25,6 @@ post "#{APIPREFIX}/:commentable_id/threads" do |commentable_id|
  end
  
  thread.author = user
-  filter_blocked_content thread
  thread.save
  if thread.errors.any?
    error 400, thread.errors.full_messages.to_json

--- a/api/comments.rb
+++ b/api/comments.rb
@@ -3,8 +3,8 @@ get "#{APIPREFIX}/comments/:comment_id" do |comment_id|
 end

 put "#{APIPREFIX}/comments/:comment_id" do |comment_id|
+  filter_blocked_content params["body"]
  comment.update_attributes(params.slice(*%w[body endorsed]))
-  filter_blocked_content comment
  if comment.errors.any?
    error 400, comment.errors.full_messages.to_json
  else
@@ -13,12 +13,12 @@ put "#{APIPREFIX}/comments/:comment_id" do |comment_id|
 end

 post "#{APIPREFIX}/comments/:comment_id" do |comment_id|
+  filter_blocked_content params["body"]
  sub_comment = comment.children.new(params.slice(*%w[body course_id]))
  sub_comment.anonymous = bool_anonymous || false
  sub_comment.anonymous_to_peers = bool_anonymous_to_peers || false
  sub_comment.author = user
  sub_comment.comment_thread = comment.comment_thread
-  filter_blocked_content sub_comment
  sub_comment.save
  if sub_comment.errors.any?
    error 400, sub_comment.errors.full_messages.to_json

--- a/lib/helpers.rb
+++ b/lib/helpers.rb
@@ -278,9 +278,9 @@ helpers do

  end

-  def filter_blocked_content c
+  def filter_blocked_content body
    begin
-      normalized_body = c.body.strip.downcase.gsub(/[^a-z ]/, '').gsub(/\s+/, ' ')
+      normalized_body = body.strip.downcase.gsub(/[^a-z ]/, '').gsub(/\s+/, ' ')
      hash = Digest::MD5.hexdigest(normalized_body)
    rescue
      # body was nil, or the hash function failed somehow - never mind

--- a/spec/api/comment_spec.rb
+++ b/spec/api/comment_spec.rb
@@ -68,11 +68,14 @@ describe "app" do
        last_response.status.should == 400
        parse(last_response.body).first.should == I18n.t(:requested_object_not_found)
      end
-      it "returns 503 when the post hash is blocked" do
+      it "returns 503 and does not update when the post hash is blocked" do
        comment = Comment.first
+        original_body = comment.body
        put "/api/v1/comments/#{comment.id}", body: "BLOCKED POST", endorsed: true
        last_response.status.should == 503
        parse(last_response.body).first.should == I18n.t(:blocked_content_with_body_hash, :hash => Digest::MD5.hexdigest("blocked post"))
+        comment.reload
+        comment.body.should == original_body
      end

      def test_unicode_data(text)
@@ -101,12 +104,13 @@ describe "app" do
        last_response.status.should == 400
        parse(last_response.body).first.should == I18n.t(:requested_object_not_found)
      end
-      it "returns 503 when the post hash is blocked" do
+      it "returns 503 and does not create when the post hash is blocked" do
        comment = Comment.first.to_hash(recursive: true)
        user = User.first
        post "/api/v1/comments/#{comment["id"]}", body: "BLOCKED POST", course_id: "1", user_id: User.first.id
        last_response.status.should == 503
        parse(last_response.body).first.should == I18n.t(:blocked_content_with_body_hash, :hash => Digest::MD5.hexdigest("blocked post"))
+        Comment.where(body: "BLOCKED POST").to_a.should be_empty
      end

      def test_unicode_data(text)

--- a/spec/api/comment_thread_spec.rb
+++ b/spec/api/comment_thread_spec.rb
@@ -480,12 +480,17 @@ describe "app" do
        last_response.status.should == 400
        parse(last_response.body).first.should == I18n.t(:requested_object_not_found)
      end
-      it "returns 503 if the post body has been blocked" do
+      it "returns 503 and does not update if the post body has been blocked" do
        thread = CommentThread.first
+        original_body = thread.body
        put "/api/v1/threads/#{thread.id}", body: "BLOCKED POST", title: "new title", commentable_id: "new_commentable_id"
        last_response.status.should == 503
+        thread.reload
+        thread.body.should == original_body
        put "/api/v1/threads/#{thread.id}", body: "blocked,   post...", title: "new title", commentable_id: "new_commentable_id"
        last_response.status.should == 503
+        thread.reload
+        thread.body.should == original_body
      end

      def test_unicode_data(text)
@@ -542,9 +547,10 @@ describe "app" do
        post "/api/v1/threads/#{CommentThread.first.id}/comments", default_params.merge(body: "    \n      \n  ")
        last_response.status.should == 400
      end
-      it "returns 503 when the post body has been blocked" do
+      it "returns 503 and does not create when the post body has been blocked" do
        post "/api/v1/threads/#{CommentThread.first.id}/comments", default_params.merge(body: "BLOCKED POST")
        last_response.status.should == 503
+        Comment.where(body: "BLOCKED POST").to_a.should be_empty
      end

      def test_unicode_data(text)

--- a/spec/api/commentable_spec.rb
+++ b/spec/api/commentable_spec.rb
@@ -97,10 +97,11 @@ describe "app" do
        post '/api/v1/question_1/threads', default_params.merge(body: "     \n    \n")
        last_response.status.should == 400
      end
-      it "returns 503 when the post content is blocked" do
+      it "returns 503 and does not create when the post content is blocked" do
        post '/api/v1/question_1/threads', default_params.merge(body: "BLOCKED POST")
        last_response.status.should == 503
        parse(last_response.body).first.should == I18n.t(:blocked_content_with_body_hash, :hash => Digest::MD5.hexdigest("blocked post"))
+        CommentThread.where(body: "BLOCKED POST").to_a.should be_empty
      end

      def test_unicode_data(text)