AO3-5860 Prevent leaving comments or kudos when logged in as admin

app/controllers/comments_controller.rb

@@ -28,6 +28,7 @@ class CommentsController < ApplicationController
   before_action :check_permission_to_moderate, only: [:approve, :reject]
   before_action :check_permission_to_modify_frozen_status, only: [:freeze, :unfreeze]
   before_action :check_permission_to_modify_hidden_status, only: [:hide, :unhide]
+  before_action :admin_logout_required, only: [:create]
 
   include BlockHelper
 

app/controllers/kudos_controller.rb

@@ -1,5 +1,6 @@
 class KudosController < ApplicationController
   skip_before_action :store_location
+  before_action :admin_logout_required, only: [:create]
 
   def index
     @work = Work.find(params[:work_id])

app/views/comments/_comment_form.html.erb

@@ -2,115 +2,120 @@
 <% if !commentable && @commentable %>
   <% commentable = @commentable %>
 <% end %>
-<div class="post comment" id="comment_form_for_<%= commentable.id %>">
-  <%= form_for value_for_comment_form(commentable, comment), :remote => !comment.new_record?, :html => {:id => "comment_for_#{commentable.id}"} do |f| %>
-    <fieldset>
-      <legend><%= ts("Post Comment") %></legend>
 
-      <% # here come the hacks (hidden fields to transmit various info to the create action) %>
-      <% if commentable.is_a?(Tag) %>
-        <%= hidden_field_tag :tag_id, commentable.name %>
-      <% end %>
+<% if logged_in_as_admin? %>
+  <% # Hide form for admins %>
+<% else %>
+  <div class="post comment" id="comment_form_for_<%= commentable.id %>">
+    <%= form_for value_for_comment_form(commentable, comment), :remote => !comment.new_record?, :html => {:id => "comment_for_#{commentable.id}"} do |f| %>
+      <fieldset>
+        <legend><%= ts("Post Comment") %></legend>
 
-      <% if params[:view_full_work] %>
-        <%= hidden_field_tag :view_full_work, params[:view_full_work] %>
-      <% end %>
+        <% # here come the hacks (hidden fields to transmit various info to the create action) %>
+        <% if commentable.is_a?(Tag) %>
+          <%= hidden_field_tag :tag_id, commentable.name %>
+        <% end %>
 
-      <% if controller.controller_name == "inbox" && params[:filters] %>
-        <%= hidden_field_tag "filters[read]", params[:filters][:read] %>
-        <%= hidden_field_tag "filters[replied_to]", params[:filters][:replied_to] %>
-        <%= hidden_field_tag "filters[date]", params[:filters][:date] %>
-      <% end %>
+        <% if params[:view_full_work] %>
+          <%= hidden_field_tag :view_full_work, params[:view_full_work] %>
+        <% end %>
 
-      <% if params[:page] %>
-        <%= hidden_field_tag :page, params[:page] %>
-      <% end %>
+        <% if controller.controller_name == "inbox" && params[:filters] %>
+          <%= hidden_field_tag "filters[read]", params[:filters][:read] %>
+          <%= hidden_field_tag "filters[replied_to]", params[:filters][:replied_to] %>
+          <%= hidden_field_tag "filters[date]", params[:filters][:date] %>
+        <% end %>
 
-      <% if comments_are_moderated(commentable) && !current_user_is_work_creator(commentable) %>
-        <p class="notice">
-          <%= ts("This work's creator has chosen to moderate comments on the work. Your comment will not appear until it has been approved by the creator.") %>
-        </p>
-      <% end %>
+        <% if params[:page] %>
+          <%= hidden_field_tag :page, params[:page] %>
+        <% end %>
 
-      <% if logged_in? %>
-        <% if current_user_is_anonymous_creator(commentable) %>
+        <% if comments_are_moderated(commentable) && !current_user_is_work_creator(commentable) %>
           <p class="notice">
-           <%= ts("While this work is anonymous, comments you post will also be listed anonymously.") %>
+            <%= ts("This work's creator has chosen to moderate comments on the work. Your comment will not appear until it has been approved by the creator.") %>
           </p>
         <% end %>
 
-        <% if current_user.pseuds.count > 1 %>
-          <h4 class="heading"><%= ts("Comment as") %> <%= f.collection_select :pseud_id, current_user.pseuds, :id, :name, {:selected => (comment.pseud ? comment.pseud.id.to_s : current_user.default_pseud.id.to_s)}, :id => "comment_pseud_id_for_#{commentable.id}", :title => ts("Choose Name") %>
-            <% if controller.controller_name == "inbox" %>
-              <% if commentable.by_anonymous_creator? %>
-                <span><%= ts("to") %> <%= "Anonymous Creator" %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
-              <% else %>
-                <span><%= ts("to") %> <%= get_commenter_pseud_or_name(commentable) %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+        <% if logged_in? %>
+          <% if current_user_is_anonymous_creator(commentable) %>
+            <p class="notice">
+            <%= ts("While this work is anonymous, comments you post will also be listed anonymously.") %>
+            </p>
+          <% end %>
+
+          <% if current_user.pseuds.count > 1 %>
+            <h4 class="heading"><%= ts("Comment as") %> <%= f.collection_select :pseud_id, current_user.pseuds, :id, :name, {:selected => (comment.pseud ? comment.pseud.id.to_s : current_user.default_pseud.id.to_s)}, :id => "comment_pseud_id_for_#{commentable.id}", :title => ts("Choose Name") %>
+              <% if controller.controller_name == "inbox" %>
+                <% if commentable.by_anonymous_creator? %>
+                  <span><%= ts("to") %> <%= "Anonymous Creator" %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+                <% else %>
+                  <span><%= ts("to") %> <%= get_commenter_pseud_or_name(commentable) %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+                <% end %>
               <% end %>
-            <% end %>
-            (<%= allowed_html_instructions(show_list=false) %>)
-          </h4>
-        <% else %>
-          <h4 class="heading"><%= ts("Comment as") %> <span class="byline"><%= current_user.default_pseud.name %></span>
-            <%= f.hidden_field :pseud_id, :value => "#{current_user.default_pseud.id}", :id => "comment_pseud_id_for_#{commentable.id}" %>
-            <% if controller.controller_name == "inbox" %>
-              <% if commentable.by_anonymous_creator? %>
-                <span><%= ts("to") %> <%= "Anonymous Creator" %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
-              <% else %>
-                <span><%= ts("to") %> <%= get_commenter_pseud_or_name(commentable) %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+              (<%= allowed_html_instructions(show_list=false) %>)
+            </h4>
+          <% else %>
+            <h4 class="heading"><%= ts("Comment as") %> <span class="byline"><%= current_user.default_pseud.name %></span>
+              <%= f.hidden_field :pseud_id, :value => "#{current_user.default_pseud.id}", :id => "comment_pseud_id_for_#{commentable.id}" %>
+              <% if controller.controller_name == "inbox" %>
+                <% if commentable.by_anonymous_creator? %>
+                  <span><%= ts("to") %> <%= "Anonymous Creator" %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+                <% else %>
+                  <span><%= ts("to") %> <%= get_commenter_pseud_or_name(commentable) %> <%= ts("on") %> <%= commentable_description_link(commentable) %></span>
+                <% end %>
               <% end %>
-            <% end %>
+            </h4>
+            <p class="footnote">(<%= allowed_html_instructions %>)</p>
+          <% end %>
+
+        <% elsif logged_in_as_admin? %>
+          <h4 class="heading"><%= ts("Comment as") %> <span class="byline"><%= current_admin.login %></span>
+            <%= f.hidden_field :name, :value => "#{current_admin.login}", :id => "comment_name_for_#{commentable.id}" %>
+            <%= f.hidden_field :email, :value => "#{current_admin.email}", :id => "comment_email_for_#{commentable.id}" %>
           </h4>
           <p class="footnote">(<%= allowed_html_instructions %>)</p>
-        <% end %>
-
-      <% elsif logged_in_as_admin? %>
-        <h4 class="heading"><%= ts("Comment as") %> <span class="byline"><%= current_admin.login %></span>
-          <%= f.hidden_field :name, :value => "#{current_admin.login}", :id => "comment_name_for_#{commentable.id}" %>
-          <%= f.hidden_field :email, :value => "#{current_admin.email}", :id => "comment_email_for_#{commentable.id}" %>
-        </h4>
-        <p class="footnote">(<%= allowed_html_instructions %>)</p>
-
-      <% else %>
-        <dl>
-          <dt class="landmark"><%= ts("Note") %>:</dt>
-          <dd class="instructions comment_form"><%=ts("All fields are required. Your email address will not be published.") %></dd>
-          <dt><%= f.label "name_for_#{commentable.id}", ts("Guest name: ") %></dt>
-          <dd>
-            <%= f.text_field :name, :id => "comment_name_for_#{commentable.id}" %>
-            <%= live_validation_for_field("comment_name_for_#{commentable.id}", :failureMessage => ts('Please enter your name.')) %>
-          </dd>
-          <dt><%= f.label "email_for_#{commentable.id}", ts("Guest email: ") %></dt>
-          <dd>
-            <%= f.text_field :email, :id => "comment_email_for_#{commentable.id}" %>
-            <%= live_validation_for_field("comment_email_for_#{commentable.id}", :failureMessage => ts('Please enter your email address.')) %>
-          </dd>
-        </dl>
-        <p class="footnote">(<%= allowed_html_instructions %>)</p>
-      <% end %>
 
-      <p>
-        <% content_id = "comment_content_for_#{commentable.id}" %>
-        <label for="<%= content_id %>" class="landmark"><%= ts("Comment") %></label>
-        <%= f.text_area :comment_content, :id => content_id, :class => "comment_form observe_textlength", :title => ts("Enter Comment") %>
-        <input type="hidden" id="controller_name_for_<%= commentable.id %>" name="controller_name" value="<%= @controller_name ||= controller.controller_name %>" />
-      </p>
-      <%= generate_countdown_html("comment_content_for_#{commentable.id}", ArchiveConfig.COMMENT_MAX) %>
-      <%= live_validation_for_field("comment_content_for_#{commentable.id}",
-              :failureMessage => ts('Brevity is the soul of wit, but we need your comment to have text in it.'),
-              :maximum_length => ArchiveConfig.COMMENT_MAX,
-              :tooLongMessage => ts("must be less than %{count} characters long.", :count => ArchiveConfig.COMMENT_MAX)) %>
-      <p class="submit actions">
-        <%= f.submit button_name, :id => "comment_submit_for_#{commentable.id}", data: {disable_with: ts("Please wait...")} %>
-        <% if controller.controller_name == 'inbox' %>
-          <a name="comment_cancel" id="comment_cancel"><%= ts("Cancel") %></a>
-        <% elsif comment.persisted? %>
-          <%= cancel_edit_comment_link(comment) %>
-        <% elsif commentable.is_a?(Comment) || commentable.is_a?(CommentDecorator) %>
-          <%= cancel_comment_reply_link(commentable) %>
+        <% else %>
+          <dl>
+            <dt class="landmark"><%= ts("Note") %>:</dt>
+            <dd class="instructions comment_form"><%=ts("All fields are required. Your email address will not be published.") %></dd>
+            <dt><%= f.label "name_for_#{commentable.id}", ts("Guest name: ") %></dt>
+            <dd>
+              <%= f.text_field :name, :id => "comment_name_for_#{commentable.id}" %>
+              <%= live_validation_for_field("comment_name_for_#{commentable.id}", :failureMessage => ts('Please enter your name.')) %>
+            </dd>
+            <dt><%= f.label "email_for_#{commentable.id}", ts("Guest email: ") %></dt>
+            <dd>
+              <%= f.text_field :email, :id => "comment_email_for_#{commentable.id}" %>
+              <%= live_validation_for_field("comment_email_for_#{commentable.id}", :failureMessage => ts('Please enter your email address.')) %>
+            </dd>
+          </dl>
+          <p class="footnote">(<%= allowed_html_instructions %>)</p>
         <% end %>
-      </p>
-    </fieldset>
-  <% end %>
-</div>
-<div class="clear"></div>
+
+        <p>
+          <% content_id = "comment_content_for_#{commentable.id}" %>
+          <label for="<%= content_id %>" class="landmark"><%= ts("Comment") %></label>
+          <%= f.text_area :comment_content, :id => content_id, :class => "comment_form observe_textlength", :title => ts("Enter Comment") %>
+          <input type="hidden" id="controller_name_for_<%= commentable.id %>" name="controller_name" value="<%= @controller_name ||= controller.controller_name %>" />
+        </p>
+        <%= generate_countdown_html("comment_content_for_#{commentable.id}", ArchiveConfig.COMMENT_MAX) %>
+        <%= live_validation_for_field("comment_content_for_#{commentable.id}",
+                :failureMessage => ts('Brevity is the soul of wit, but we need your comment to have text in it.'),
+                :maximum_length => ArchiveConfig.COMMENT_MAX,
+                :tooLongMessage => ts("must be less than %{count} characters long.", :count => ArchiveConfig.COMMENT_MAX)) %>
+        <p class="submit actions">
+          <%= f.submit button_name, :id => "comment_submit_for_#{commentable.id}", data: {disable_with: ts("Please wait...")} %>
+          <% if controller.controller_name == 'inbox' %>
+            <a name="comment_cancel" id="comment_cancel"><%= ts("Cancel") %></a>
+          <% elsif comment.persisted? %>
+            <%= cancel_edit_comment_link(comment) %>
+          <% elsif commentable.is_a?(Comment) || commentable.is_a?(CommentDecorator) %>
+            <%= cancel_comment_reply_link(commentable) %>
+          <% end %>
+        </p>
+      </fieldset>
+    <% end %>
+  </div>
+  <div class="clear"></div>
+<% end %>

app/views/comments/_commentable.html.erb

@@ -28,7 +28,7 @@
       <li><%= link_to ts('Back to AO3 News Index'), admin_posts_path %></li>
     <% end %>
 
-    <% if @work && !is_author_of?(@work) %>
+    <% if @work && !is_author_of?(@work) && !logged_in_as_admin? %>
       <li>
         <%= form_for(:kudo, url: kudos_path, html: { method: 'post', id: 'new_kudo' }) do |kudo_form| %>
           <%= kudo_form.hidden_field :commentable_id, :value => @work.id %>

config/locales/views/en.yml

@@ -99,7 +99,7 @@ en:
       page_title: "Hi, %{login}!"
       confidentiality_reminder: "You are now logged in as an admin. That means you will probably encounter information that is personal or confidential (e.g. usernames, email and IP addresses, creator names on anonymous works, etc). Please do not use this information in ways unrelated to your OTW role. If you have questions about what you can or cannot do with information you see here, contact your committee chair(s)."
       responsibility: "With great power comes great responsibility."
-      log_out_reminder: "Please remember to log out before resuming your normal site activity and leaving comments and kudos!"
+      log_out_reminder: "Please remember to log out before resuming your normal site activity!"
       roles:
         heading: "Your admin roles:"
         none: "You currently have no admin roles assigned to you."

features/comments_and_kudos/add_comment.feature

@@ -207,3 +207,12 @@ Scenario: Try to post a comment with a < angle bracket before a linebreak, with
       """
       And I press "Comment"
     Then I should see "Comment created!"
+
+Scenario: Cannot comment (no form) while logged as admin
+
+    Given the work "Generic Work"
+      And I am logged in as an admin
+      And I view the work "Generic Work"
+    Then I should see "Generic Work"
+      And I should not see "Post Comment"
+      And I should not see a "Comment" button

features/comments_and_kudos/kudos.feature

@@ -167,3 +167,10 @@ Feature: Kudos
       And the email should contain "Meh Story"
       And the email should not contain "0 guests"
       And the email should not contain "translation missing"
+
+Scenario: Cannot leave kudos (no button) while logged as admin
+
+    Given I am logged in as an admin
+      And I view the work "Awesome Story"
+    Then I should see "Awesome Story"
+      And I should not see a "Kudos ♥" button

features/tags_and_wrangling/tag_comment.feature

@@ -43,24 +43,17 @@ I'd like to comment on a tag'
   Scenario: Multiple comments on a tag increment correctly
 
     Given the following activated tag wranglers exist
-        | login     |
-        | dizmo     |
+        | login        |
+        | dizmo        |
+        | someone_else |
       And a fandom exists with name: "Stargate Atlantis", canonical: true
     When I am logged in as "dizmo"
     When I post the comment "Yep, we should have a Stargate franchise metatag." on the tag "Stargate Atlantis"
-    When I am logged in as an admin
+    When I am logged in as "someone_else"
     When I post the comment "Important policy decision" on the tag "Stargate Atlantis"
     When I view the tag "Stargate Atlantis"
     Then I should see "2 comments"
 
-    Scenario: admin can also comment on tags, issue 1428
-
-    Given a fandom exists with name: "Stargate Atlantis", canonical: true
-    When I am logged in as an admin
-    When I post the comment "Important policy decision" on the tag "Stargate Atlantis" via web
-    When I view the tag "Stargate Atlantis"
-    Then I should see "1 comment"
-
   Scenario: Issue 2185: email notifications for tag commenting; TO DO: replies to comments
 
     Given the following activated tag wranglers exist

spec/controllers/comments_controller_spec.rb

@@ -249,14 +249,9 @@
 
         it "posts the comment and shows it in context" do
           post :create, params: { tag_id: fandom.name, comment: anon_comment_attributes }
+          expect(flash[:notice]).to eq("Please log out of your admin account first!")
           comment = Comment.last
-          expect(comment.commentable).to eq fandom
-          expect(comment.name).to eq anon_comment_attributes[:name]
-          expect(comment.email).to eq anon_comment_attributes[:email]
-          expect(comment.comment_content).to include anon_comment_attributes[:comment_content]
-          path = comments_path(tag_id: fandom.to_param,
-                               anchor: "comment_#{comment.id}")
-          expect(response).to redirect_to path
+          expect(comment).to eq nil
         end
       end
 
@@ -340,6 +335,17 @@
           expect(cookies[:flash_is_set]).to eq(1)
         end
       end
+
+      context "when logged in as an admin" do
+        let(:work) { create(:work) }
+
+        before { fake_login_admin(create(:admin)) }
+
+        it "asks to log out first" do
+          post :create, params: { work_id: work.id, comment: anon_comment_attributes }
+          expect(flash[:notice]).to eq("Please log out of your admin account first!")
+        end
+      end
     end
 
     context "when the commentable is an admin post" do

spec/controllers/kudos_controller_spec.rb

@@ -182,5 +182,17 @@
         end
       end
     end
+
+    context "when kudos giver is admin" do
+      let(:work) { create(:work) }
+      let(:admin) { create(:admin) }
+
+      before { fake_login_admin(admin) }
+
+      it "asks to log out first" do
+        post :create, params: { kudo: { commentable_id: work.id, commentable_type: "Work" } }
+        expect(flash[:notice]).to eq("Please log out of your admin account first!")
+      end
+    end
   end
 end