From 216b9278af9e28a3d6df1c6841e9542217ac2d5f Mon Sep 17 00:00:00 2001
From: Dalai Felinto <dfelinto@gmail.com>
Date: Mon, 4 Sep 2017 21:27:30 +0200
Subject: [PATCH] A user should not be able to vote on own content

This should be hidden in the UI as well, but the backend should support this too.
We also want to set initial rating of 1 for contents that need it.

This commit includes a new unittest for this case.

Reviewers: sybren

Differential Revision: https://developer.blender.org/D2825
---
 pillar/api/nodes/custom/comment.py |  6 +++++-
 tests/test_api/test_patch.py       | 14 ++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/pillar/api/nodes/custom/comment.py b/pillar/api/nodes/custom/comment.py
index 3a089729..89da6c95 100644
--- a/pillar/api/nodes/custom/comment.py
+++ b/pillar/api/nodes/custom/comment.py
@@ -41,11 +41,15 @@ def vote_comment(user_id, node_id, patch):
                   '$or': [{'properties.ratings.$.user': {'$exists': False}},
                           {'properties.ratings.$.user': user_id}]}
     node = nodes_coll.find_one(node_query,
-                               projection={'properties': 1})
+                               projection={'properties': 1, 'user': 1})
     if node is None:
         log.warning('User %s wanted to patch non-existing node %s' % (user_id, node_id))
         raise wz_exceptions.NotFound('Node %s not found' % node_id)
 
+    # We don't allow the user to down/upvote their own nodes.
+    if user_id == node['user']:
+        raise wz_exceptions.Forbidden('You cannot vote on your own node')
+
     props = node['properties']
 
     # Find the current rating (if any)
diff --git a/tests/test_api/test_patch.py b/tests/test_api/test_patch.py
index 01b93652..d39e82fe 100644
--- a/tests/test_api/test_patch.py
+++ b/tests/test_api/test_patch.py
@@ -48,6 +48,20 @@ class AbstractPatchCommentTest(AbstractPillarTest):
 
 
 class VoteCommentTest(AbstractPatchCommentTest):
+    def test_upvote_self_comment(self):
+        # It should fail since we don't allow users to vote on own comment.
+        self.patch(self.node_url,
+                   json={'op': 'upvote'},
+                   auth_token='owner-token',
+                   expected_status=403)
+
+    def test_downvote_self_comment(self):
+        # It should fail since we don't allow users to vote on own comment.
+        self.patch(self.node_url,
+                   json={'op': 'downvote'},
+                   auth_token='owner-token',
+                   expected_status=403)
+
     def test_upvote_other_comment(self):
         # Patch the node
         res = self.patch(self.node_url,