API Access to Moderation Queue #1028
Conversation
It works exactly like `/latest` but returns only posts waiting moderation. The endpoint has to be explicitly enabled and requests must be authorized with the admin password. The admin interface also has to be enabled to make sure that people have changed the password.
It should be mentioned that the endpoint /latest only returns accepted comments.
Version 0.13.0 is already released. . Change to the probably next version 0.13.1.
ix5
added
server
There was a problem hiding this comment.
In general, I think this idea is sensible. A few comments inline.
I don't think you really need a new config option for this though. Either someone has already enabled the admin interface, giving anyone with admin credentials access to all comments, or admin is disabled, which will also disable the new /pending endpoint. My concern is that going at this rate, the whole routing system will at some point in the future be (poorly) exposed through the configuration file.
| response = self.getAuthenticated('/pending?limit=5', 'admin', password) | ||
| self.assertEqual(response.status_code, 404) | ||
|
|
||
| def testPendingNotEnabled(self): |
| "Unavailable because 'pending-enabled' not set by site admin" | ||
| ) | ||
|
|
||
| return self._latest(environ, request, "2") |
There was a problem hiding this comment.
Rather than adding a new endpoint, wouldn't it make more sense to instead pass through a mode GET parameter? It would remain at "1" as a default for /latest and could be set to "2" to get pending comments (which would then require auth).
| @@ -65,6 +65,10 @@ gravatar-url = https://www.gravatar.com/avatar/{}?d=identicon&s=55 | |||
| # needing to previously know the posts URIs) | |||
| latest-enabled = false | |||
|
|
|||
| # enable the "/pending" endpoint, that works likes "/latest" but only | |||
| # for comments waiting moderation | |||
| @@ -844,6 +864,64 @@ def testModerateComment(self): | |||
| # Comment should no longer exist | |||
| self.assertEqual(self.app.db.comments.get(id_), None) | |||
|
|
|||
| def testPendingWithoutAdmin(self): | |||
| self.conf.set("admin", "enabled", "false") | |||
There was a problem hiding this comment.
Are these tests guaranteed to be run in order? I'd prefer you un-set the admin.enabled value at test end.
|
I'm afraid, I will need a couple of weeks to come back to this PR. |
Checklist
CHANGES.rstbecause this is a user-facing change or an important bugfixWhat changes does this Pull Request introduce?
This PR introduces a new API endpoint
/pendingwhich works like/latestwith the following differences:[general] pending-enabledset to "true".admininterface to be enabled.The last requirement is maybe a little bit paranoid. Rationale: the admin password is currently only used for the admin interface. The requirement is meant to ensure that people have changed the default password. On the other hand, the endpoint does not expose sensitive information but only potential spam.
The feature/endpoint only makes sense, when moderation is enabled. But this is not explicitly checked because it causes no harm if moderation is not enabled.
Why is this necessary?
If you want to implement an alternative notification mechanism for comments awaiting moderation, access to the moderation queue via the API is required. The existing
/latestendpoint only returns accepted comments. The new endpoint should require authorization because it exposes comments that are not publicly visible....