Add ensureUserCanSendComment authorization middleware (#22959)

* Add ensureUserCanSendComment authorization middleware

* added tests

GitOrigin-RevId: d1f58bd6bc63275456e5280ccb8c99aaa02c4e5f

services/web/app/src/Features/Authorization/AuthorizationManager.js

@@ -280,11 +280,25 @@ async function canUserResolveThread(userId, projectId, docId, threadId, token) {
   return comment.metadata.user_id === userId
 }
 
+async function canUserSendComment(userId, projectId, token) {
+  const privilegeLevel = await getPrivilegeLevelForProject(
+    userId,
+    projectId,
+    token
+  )
+  return (
+    privilegeLevel === PrivilegeLevels.OWNER ||
+    privilegeLevel === PrivilegeLevels.READ_AND_WRITE ||
+    privilegeLevel === PrivilegeLevels.REVIEW
+  )
+}
+
 module.exports = {
   canUserReadProject: callbackify(canUserReadProject),
   canUserWriteProjectContent: callbackify(canUserWriteProjectContent),
   canUserReviewProjectContent: callbackify(canUserReviewProjectContent),
   canUserResolveThread: callbackify(canUserResolveThread),
+  canUserSendComment: callbackify(canUserSendComment),
   canUserWriteProjectSettings: callbackify(canUserWriteProjectSettings),
   canUserRenameProject: callbackify(canUserRenameProject),
   canUserAdminProject: callbackify(canUserAdminProject),
@@ -297,6 +311,7 @@ module.exports = {
     canUserWriteProjectContent,
     canUserReviewProjectContent,
     canUserResolveThread,
+    canUserSendComment,
     canUserWriteProjectSettings,
     canUserRenameProject,
     canUserAdminProject,

services/web/app/src/Features/Authorization/AuthorizationMiddleware.js

@@ -129,6 +129,25 @@ async function ensureUserCanResolveThread(req, res, next) {
   return HttpErrorHandler.forbidden(req, res)
 }
 
+async function ensureUserCanSendComment(req, res, next) {
+  const projectId = _getProjectId(req)
+  const userId = _getUserId(req)
+  const token = TokenAccessHandler.getRequestToken(req, projectId)
+
+  const canSendComment = await AuthorizationManager.promises.canUserSendComment(
+    userId,
+    projectId,
+    token
+  )
+  if (canSendComment) {
+    logger.debug({ userId, projectId }, 'allowing user to send a comment')
+    return next()
+  }
+
+  logger.debug({ userId, projectId }, 'denying user to send a comment')
+  return HttpErrorHandler.forbidden(req, res)
+}
+
 async function ensureUserCanWriteProjectContent(req, res, next) {
   const projectId = _getProjectId(req)
   const userId = _getUserId(req)
@@ -249,6 +268,7 @@ module.exports = {
     ensureUserCanWriteProjectSettings
   ),
   ensureUserCanResolveThread: expressify(ensureUserCanResolveThread),
+  ensureUserCanSendComment: expressify(ensureUserCanSendComment),
   ensureUserCanWriteProjectContent: expressify(
     ensureUserCanWriteProjectContent
   ),

services/web/test/unit/src/Authorization/AuthorizationManagerTests.js

@@ -462,6 +462,15 @@ describe('AuthorizationManager', function () {
     tokenReadAndWrite: true,
   })
 
+  testPermission('canUserSendComment', {
+    siteAdmin: true,
+    owner: true,
+    readAndWrite: true,
+    review: true,
+    publicReadAndWrite: true,
+    tokenReadAndWrite: true,
+  })
+
   testPermission('canUserWriteProjectContent', {
     siteAdmin: true,
     owner: true,

services/web/test/unit/src/Authorization/AuthorizationMiddlewareTests.js

@@ -26,6 +26,7 @@ describe('AuthorizationMiddleware', function () {
         canUserWriteProjectSettings: sinon.stub(),
         canUserWriteProjectContent: sinon.stub(),
         canUserResolveThread: sinon.stub(),
+        canUserSendComment: sinon.stub(),
         canUserAdminProject: sinon.stub(),
         canUserRenameProject: sinon.stub(),
         canUserReviewProjectContent: sinon.stub(),
@@ -86,6 +87,10 @@ describe('AuthorizationMiddleware', function () {
     )
   })
 
+  describe('ensureUserCanSendComment', function () {
+    testMiddleware('ensureUserCanSendComment', 'canUserSendComment')
+  })
+
   describe('ensureUserCanResolveThread', function () {
     beforeEach(function () {
       this.req.params.doc_id = this.doc_id