Skip to content

Fix(publisher): Inconsistent role based behaviour in comment reply functionality#1391

Open
ShavinAnjithaAlpha wants to merge 1 commit into
wso2:mainfrom
ShavinAnjithaAlpha:fix/4881-inconsistent-role-based-comment-reply
Open

Fix(publisher): Inconsistent role based behaviour in comment reply functionality#1391
ShavinAnjithaAlpha wants to merge 1 commit into
wso2:mainfrom
ShavinAnjithaAlpha:fix/4881-inconsistent-role-based-comment-reply

Conversation

@ShavinAnjithaAlpha

Copy link
Copy Markdown
Contributor

Purpose

In the Publisher portal's comment reply functionality, currently only users with publisher and admin roles can reply to a comment. For other roles, the Reply button and Add Comment text field are disabled, even if those roles have the default scopes to create a comment. The current implementation only checks the user's role instead of checking their scopes for the necessary permissions.

This PR fixes this issue by replacing that logic with proper user scope checking for both the Reply button's visibility and the Add Comment text field's editability.

Fixes #4881

Public Issue Link

Approach

File Modified: CommentOptions.jsx, CommentAdd.jsx

CommentOptions.jsx: Updated the canReply boolean variable to determine its value using the user's scopes instead of user roles.

CommentAdd.jsx: Updated the isAccessRestricted function to check the user's scopes for adding comments. (Note: The existing implementation used the default AuthManager.isRestricted function, which is not suitable for this scenario).

In the Publisher portal comment reply functionality, currently only the Admins
and Publishers were allowed to make a reply to a comment regarding their
user scopes for comments. This fixes it by instead of checking the user role
check whether the user has necessary scopes for adding a comment (apim:comment_write or apim:comment_manage)

Fixes #4881
@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Comment creation and reply authorization now use user comment scopes. API-type restrictions and creator/administrator role checks were replaced with scope checks in the publisher comment components.

Changes

Comment scope authorization

Layer / File(s) Summary
Comment creation permission check
portals/publisher/.../Comments/CommentAdd.jsx
CommentAdd now reads the current user through AuthManager and restricts access unless both comment write and manage scopes are present.
Comment reply permission check
portals/publisher/.../Comments/CommentOptions.jsx
Reply controls are shown when the user has either the comment write or comment manage scope.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the main change: replacing role-based comment reply behavior with scope-based checks.
Description check ✅ Passed The description accurately explains the scope-based fix for Reply and Add Comment behavior and matches the changed files.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@ShavinAnjithaAlpha ShavinAnjithaAlpha changed the title Fix(publisher): Inconsistent role based behaviour comment reply functionality Fix(publisher): Inconsistent role based behaviour in comment reply functionality Jul 10, 2026
return isRestricted(['apim:api_create', 'apim:api_publish'], api);
}
const user = AuthManager.getUser();
return !user.scopes.includes("apim:comment_write") && !user.scopes.includes("apim:comment_manage");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original isRestricted() utility handles the user being null other cases of having publish permissions and lifecycle states. any reason to remove that?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the backend carbon-apimgt logic for addComment, there were no consideration in the API lifecycle state and publish permission checks, therefore rather than using existing generic isRestricted helper method, a separate method has been used to check the permissions for the Add Comment in the frontend.

const username = Utils.getUserNameWithoutDomain(user.name);
const canDelete = (comment.createdBy === username) || user.isAdmin();
const canReply = !user.isCreator() || user.isAdmin();
const canReply = user.scopes.includes("apim:comment_write") || user.scopes.includes("apim:comment_manage");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cant we use the isRestricted same util method here

return isRestricted(['apim:api_create', 'apim:api_publish'], api);
}
const user = AuthManager.getUser();
return !user.scopes.includes("apim:comment_write") && !user.scopes.includes("apim:comment_manage");

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also logic here is an AND. but our scope validation logic behaves in OR in REST API

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the REST API allows access if the user has either scope (OR). Since this frontend method calculates whether to restrict the user, it needs to return true only when the user is missing both scopes. So !write && !manage exactly mirrors the backend's write || manage logic"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants