fix content check in add endpoint: now can handle also paths that sta…

.github/workflows/black.yml

@@ -19,7 +19,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       # python cache
-      - uses: actions/cache@v1
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}

.github/workflows/flake8.yml

@@ -19,7 +19,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       # python cache
-      - uses: actions/cache@v1
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}

.github/workflows/pyroma.yml

@@ -19,7 +19,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       # python cache
-      - uses: actions/cache@v1
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}

.github/workflows/test.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Cache eggs
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: eggs
           key: ${{ runner.OS }}-build-python${{ matrix.python }}-${{ matrix.plone }}

.github/workflows/zpretty.yml

@@ -19,7 +19,7 @@ jobs:
           python-version: ${{ matrix.python-version }}
 
       # python cache
-      - uses: actions/cache@v1
+      - uses: actions/cache@v3
         with:
           path: ~/.cache/pip
           key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }}

CHANGES.rst

@@ -5,7 +5,8 @@ Changelog
 1.2.1 (unreleased)
 ------------------
 
-- Nothing changed yet.
+- Fix logic for non-content paths: now can handle also paths that startw with a pattern.
+  [cekk]
 
 
 1.2.0 (2025-02-28)

base.cfg

@@ -22,6 +22,7 @@ parts =
 
 develop = .
 
+eggs-directory = eggs
 
 [instance]
 recipe = plone.recipe.zope2instance
@@ -128,3 +129,5 @@ mode = 755
 [versions]
 # Don't use a released version of collective.feedback
 collective.feedback =
+setuptools =
+zc.buildout =

src/collective/feedback/restapi/services/__init__.py

@@ -0,0 +1,5 @@
+import re
+
+
+def looks_like_path(string):
+    return bool(re.match(r"^(/|/[^\s<>:\"|?*]+.*)$", string))

src/collective/feedback/restapi/services/add.py

@@ -1,5 +1,6 @@
 from collective.feedback.controlpanels.settings import ICollectiveFeedbackSettings
 from collective.feedback.interfaces import ICollectiveFeedbackStore
+from collective.feedback.restapi.services import looks_like_path
 from plone import api
 from plone.protect.interfaces import IDisableCSRFProtection
 from plone.restapi.deserializer import json_body
@@ -8,8 +9,6 @@
 from zope.component import getUtility
 from zope.interface import alsoProvides
 
-import re
-
 
 class FeedbackAdd(Service):
     """
@@ -20,6 +19,11 @@ class FeedbackAdd(Service):
 
     def reply(self):
         alsoProvides(self.request, IDisableCSRFProtection)
+        self.allowed_views = api.portal.get_registry_record(
+            "allowed_feedback_view",
+            interface=ICollectiveFeedbackSettings,
+            default=False,
+        )
         form_data = json_body(self.request)
         self.validate_form(form_data=form_data)
         data = self.extract_data(form_data=form_data)
@@ -55,29 +59,30 @@ def validate_form(self, form_data):
             if not value:
                 raise BadRequest("Campo obbligatorio mancante: {}".format(field))
 
-    def looks_like_path(self, string):
-        return bool(re.match(r"^(/|/[^\s<>:\"|?*]+.*)$", string))
+    def check_allowed_views(self, value):
+        for allowed_view in self.allowed_views:
+            if value == allowed_view:
+                return True
+            if looks_like_path(allowed_view):
+                if allowed_view.endswith("/"):
+                    check_path = allowed_view
+                else:
+                    check_path = allowed_view + "/"
+                return value.startswith(check_path)
+        return False
 
     def extract_data(self, form_data):
         path = form_data.pop("content")
-        if self.looks_like_path(path):
+
+        if self.check_allowed_views(path):
+            form_data.update({"title": path})
+        else:
             portal = api.portal.get()
             contextual_path = "/" + portal.id + path
             context = api.content.get(path=contextual_path)
-            if not context:
-                raise BadRequest(f"Object with path {contextual_path} not found.")
-
-            form_data.update({"uid": context.UID()})
-            form_data.update({"title": context.Title()})
-        else:
-            allowed_view = api.portal.get_registry_record(
-                "allowed_feedback_view",
-                interface=ICollectiveFeedbackSettings,
-                default=False,
-            )
-            if path not in allowed_view:
-                raise BadRequest(f"View non consentita: {path}")
-
-            form_data.update({"title": path})
-
+            if context:
+                form_data.update({"uid": context.UID()})
+                form_data.update({"title": context.Title()})
+            else:
+                raise BadRequest(f"Object with path {path} not found.")
         return form_data

src/collective/feedback/restapi/services/get.py

@@ -1,5 +1,6 @@
 from AccessControl import Unauthorized
 from collective.feedback.interfaces import ICollectiveFeedbackStore
+from collective.feedback.restapi.services import looks_like_path
 from copy import deepcopy
 from datetime import datetime
 from plone import api
@@ -186,33 +187,10 @@ def get_data(self):
             vote = feedback._attrs.get("vote", "")
 
             if uid not in feedbacks:
-                try:
-                    uuid.UUID(uid)
-                    valid_uuid = True
-                except ValueError:
-                    valid_uuid = False
-
-                obj = None
-                if valid_uuid:
-                    obj = self.get_commented_obj(uid=uid)
-                    if not obj and not api.user.has_permission(
-                        "collective.feedback: Show Deleted Feedbacks"
-                    ):
-                        # only manager can list deleted object's reviews
-                        continue
-
-                new_data = {
-                    "vote_num": 0,
-                    "vote_sum": 0,
-                    "comments": 0,
-                    "title": feedback._attrs.get("title", ""),
-                    "uid": uid,
-                }
-
-                if obj:
-                    new_data["title"] = obj.Title()
-                    new_data["url"] = obj.absolute_url()
-
+                new_data = self.get_new_data(uid=uid, feedback=feedback)
+                if not new_data:
+                    # no data, skip
+                    continue
                 feedbacks[uid] = new_data
 
             # vote avg
@@ -263,6 +241,46 @@ def get_data(self):
 
         return self.sort_result(result)
 
+    def get_new_data(self, uid, feedback):
+        """
+        Generate data for feedback entry
+        """
+        try:
+            uuid.UUID(uid)
+            valid_uuid = True
+        except ValueError:
+            valid_uuid = False
+
+        obj = None
+        if valid_uuid:
+            obj = self.get_commented_obj(uid=uid)
+            if not obj and not api.user.has_permission(
+                "collective.feedback: Show Deleted Feedbacks"
+            ):
+                # only manager can list deleted object's reviews
+                return None
+
+        title = feedback._attrs.get("title", "")
+        new_data = {
+            "vote_num": 0,
+            "vote_sum": 0,
+            "comments": 0,
+            "uid": uid,
+            "title": title,
+        }
+
+        if obj:
+            new_data["title"] = obj.Title()
+            new_data["url"] = obj.absolute_url()
+        else:
+            # it's a contextless feedback
+            if looks_like_path(title):
+                fixed_title = title.rstrip("/").rsplit("/", 1)[-1]
+                fixed_title = fixed_title.replace("-", " ").capitalize()
+                new_data["title"] = fixed_title
+                new_data["url"] = title
+        return new_data
+
 
 class FeedbackGetCSV(FeedbackGet):
     """Service for getting feedbacks as csv file"""

src/collective/feedback/tests/test_feedbacks_add.py

@@ -1,4 +1,5 @@
 # -*- coding: utf-8 -*-
+from collective.feedback.controlpanels.settings import ICollectiveFeedbackSettings
 from collective.feedback.interfaces import ICollectiveFeedbackStore
 from collective.feedback.testing import RESTAPI_TESTING
 from plone import api
@@ -180,3 +181,64 @@ def test_add_feedback_to_allowed_and_disallowed_views(self):
         self.assertEqual(res.status_code, 400)
         transaction.commit()
         self.assertEqual(len(tool.search(query={"title": not_allowed_view})), 0)
+
+    def test_add_feedback_to_allowed_path_starts_with(self):
+        allowed_views = api.portal.get_registry_record(
+            "allowed_feedback_view",
+            interface=ICollectiveFeedbackSettings,
+            default=False,
+        )
+        allowed_views.append("/my-path")
+        api.portal.set_registry_record(
+            "allowed_feedback_view",
+            allowed_views,
+            interface=ICollectiveFeedbackSettings,
+        )
+
+        transaction.commit()
+
+        # Aggiunta di un feedback in una vista consentita
+        res = self.anon_api_session.post(
+            self.url,
+            json={
+                "vote": 5,
+                "comment": "Great login experience",
+                "honey": "",
+                "content": "/my-path",
+            },
+        )
+        self.assertEqual(res.status_code, 204)
+        transaction.commit()
+
+        tool = getUtility(ICollectiveFeedbackStore)
+        self.assertEqual(len(tool.search(query={"title": "/my-path"})), 1)
+
+        res = self.anon_api_session.post(
+            self.url,
+            json={
+                "vote": 5,
+                "comment": "Great admin experience",
+                "honey": "",
+                "content": "/my-path/foo",
+            },
+        )
+
+        self.assertEqual(res.status_code, 204)
+        transaction.commit()
+
+        tool = getUtility(ICollectiveFeedbackStore)
+        self.assertEqual(len(tool.search(query={"title": "/my-path/foo"})), 1)
+
+        # Aggiunta di un feedback in una vista non consentita
+        res = self.anon_api_session.post(
+            self.url,
+            json={
+                "vote": 5,
+                "comment": "Great admin experience",
+                "honey": "",
+                "content": "/my-pathh",
+            },
+        )
+        self.assertEqual(res.status_code, 400)
+        transaction.commit()
+        self.assertEqual(len(tool.search(query={"title": "/my-pathh"})), 0)