From 90e593946d433d1ba1c43090283723f6c59ffb16 Mon Sep 17 00:00:00 2001
From: Kyle Maas <kylemaasdev@gmail.com>
Date: Wed, 2 Oct 2024 08:52:30 -0400
Subject: [PATCH] feat: allow commenting by regular users when posting media
 requires advanced permissions (#1023)

---
 cms/permissions.py | 28 ++++++++++++++++++++++++++++
 cms/settings.py    |  4 ++++
 files/views.py     |  9 +++++++--
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/cms/permissions.py b/cms/permissions.py
index 8c372e8..14eecac 100644
--- a/cms/permissions.py
+++ b/cms/permissions.py
@@ -11,6 +11,13 @@ class IsAuthorizedToAdd(permissions.BasePermission):
         return user_allowed_to_upload(request)
 
 
+class IsAuthorizedToAddComment(permissions.BasePermission):
+    def has_permission(self, request, view):
+        if request.method in permissions.SAFE_METHODS:
+            return True
+        return user_allowed_to_comment(request)
+
+
 class IsUserOrManager(permissions.BasePermission):
     """To be used in cases where request.user is either the
     object owner, or anyone amongst MediaCMS managers
@@ -66,3 +73,24 @@ def user_allowed_to_upload(request):
         if request.user.advancedUser:
             return True
     return False
+
+
+def user_allowed_to_comment(request):
+    """Any custom logic for whether a user is allowed
+    to comment lives here
+    """
+    if request.user.is_anonymous:
+        return False
+    if request.user.is_superuser:
+        return True
+
+    # Default is "all"
+    if not hasattr(settings, "CAN_COMMENT") or settings.CAN_COMMENT == "all":
+        return True
+    elif settings.CAN_COMMENT == "email_verified":
+        if request.user.email_is_verified:
+            return True
+    elif settings.CAN_COMMENT == "advancedUser":
+        if request.user.advancedUser:
+            return True
+    return False
diff --git a/cms/settings.py b/cms/settings.py
index 33fd796..48fa47a 100644
--- a/cms/settings.py
+++ b/cms/settings.py
@@ -15,6 +15,10 @@ TIME_ZONE = "Europe/London"
 # valid options include 'all', 'email_verified', 'advancedUser'
 CAN_ADD_MEDIA = "all"
 
+# who can comment
+# valid options include 'all', 'email_verified', 'advancedUser'
+CAN_COMMENT = "all"
+
 # valid choices here are 'public', 'private', 'unlisted
 PORTAL_WORKFLOW = "public"
 
diff --git a/files/views.py b/files/views.py
index eb8657c..2343d33 100644
--- a/files/views.py
+++ b/files/views.py
@@ -24,7 +24,12 @@ from rest_framework.views import APIView
 
 from actions.models import USER_MEDIA_ACTIONS, MediaAction
 from cms.custom_pagination import FastPaginationWithoutCount
-from cms.permissions import IsAuthorizedToAdd, IsUserOrEditor, user_allowed_to_upload
+from cms.permissions import (
+    IsAuthorizedToAdd,
+    IsAuthorizedToAddComment,
+    IsUserOrEditor,
+    user_allowed_to_upload,
+)
 from users.models import User
 
 from .forms import ContactForm, MediaForm, SubtitleForm
@@ -1204,7 +1209,7 @@ class CommentDetail(APIView):
     Delete comment (DELETE)
     """
 
-    permission_classes = (IsAuthorizedToAdd,)
+    permission_classes = (IsAuthorizedToAddComment,)
     parser_classes = (JSONParser, MultiPartParser, FormParser, FileUploadParser)
 
     def get_object(self, friendly_token):