From 711692227ab470fa56389893a2851227cdd151e2 Mon Sep 17 00:00:00 2001
From: Andrew Shu <talklittle@gmail.com>
Date: Mon, 1 Sep 2025 00:07:30 -0700
Subject: [PATCH] Check permissions for all Comment fields in API

---
 tildes/openapi_beta.yaml                |  7 ++-
 tildes/tildes/views/api/beta/comment.py | 62 ++++++++++++++++---------
 2 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/tildes/openapi_beta.yaml b/tildes/openapi_beta.yaml
index 436b571..3c18065 100644
--- a/tildes/openapi_beta.yaml
+++ b/tildes/openapi_beta.yaml
@@ -343,8 +343,12 @@ components:
         - removed
         - deleted
         - exemplary
+        - collapsed
+        - collapsed_individual
         - voted
         - bookmarked
+        - depth
+        - children
       properties:
         id:
           type: string
@@ -358,6 +362,7 @@ components:
           nullable: true
         created_at:
           type: string
+          nullable: true
         edited_at:
           type: string
           nullable: true
@@ -372,10 +377,8 @@ components:
           nullable: true
         collapsed:
           type: boolean
-          nullable: true
         collapsed_individual:
           type: boolean
-          nullable: true
         by_op:
           type: boolean
           nullable: true
diff --git a/tildes/tildes/views/api/beta/comment.py b/tildes/tildes/views/api/beta/comment.py
index a07c914..54507f1 100644
--- a/tildes/tildes/views/api/beta/comment.py
+++ b/tildes/tildes/views/api/beta/comment.py
@@ -14,20 +14,45 @@ def comment_to_api_dict(request: Request, comment: Comment) -> dict:
     The schema is defined in our OpenAPI YAML file.
     """
 
+    # Some fields do not require permissions
+    comment_id = comment.comment_id36
+    topic_id = comment.topic.topic_id36
+    is_removed = comment.is_removed
+    is_deleted = comment.is_deleted
+    collapsed = (
+        hasattr(comment, "collapsed_state") and comment.collapsed_state == "full"
+    )
+    collapsed_individual = (
+        hasattr(comment, "collapsed_state") and comment.collapsed_state == "individual"
+    )
+
     # Check permissions for viewing comment details (and set safe defaults)
     author = None
+    created_time = None
+    edited_time = None
     rendered_html = None
+    votes = 0
     exemplary = None
     by_op = None
     by_me = None
     is_new_comment = None
+    voted = False
+    bookmarked = False
+
     if request.has_permission("view", comment):
         author = comment.user.username
+        created_time = comment.created_time.isoformat()
+        edited_time = (
+            comment.last_edited_time.isoformat() if comment.last_edited_time else None
+        )
         rendered_html = comment.rendered_html
+        votes = comment.num_votes
         exemplary = comment.is_label_active("exemplary")
         by_me = request.user == comment.user if request.user else False
+
         if request.has_permission("view_author", comment.topic):
             by_op = comment.user == comment.topic.user
+
         is_new_comment = (
             (comment.created_time > comment.topic.last_visit_time)
             if (
@@ -38,34 +63,29 @@ def comment_to_api_dict(request: Request, comment: Comment) -> dict:
             else False
         )
 
+        if request.has_permission("vote", comment):
+            voted = comment.user_voted
+        if request.has_permission("bookmark", comment):
+            bookmarked = comment.user_bookmarked
+
     return {
-        "id": comment.comment_id36,
-        "topic_id": comment.topic.topic_id36,
+        "id": comment_id,
+        "topic_id": topic_id,
         "author": author,
         "rendered_html": rendered_html,
-        "created_at": comment.created_time.isoformat(),
-        "edited_at": (
-            comment.last_edited_time.isoformat() if comment.last_edited_time else None
-        ),
-        "votes": comment.num_votes,
-        "removed": comment.is_removed,
-        "deleted": comment.is_deleted,
+        "created_at": created_time,
+        "edited_at": edited_time,
+        "votes": votes,
+        "removed": is_removed,
+        "deleted": is_deleted,
         "exemplary": exemplary,
-        "collapsed": (
-            (comment.collapsed_state == "full")
-            if hasattr(comment, "collapsed_state")
-            else None
-        ),
-        "collapsed_individual": (
-            (comment.collapsed_state == "individual")
-            if hasattr(comment, "collapsed_state")
-            else None
-        ),
+        "collapsed": collapsed,
+        "collapsed_individual": collapsed_individual,
         "by_op": by_op,
         "by_me": by_me,
         "new_comment": is_new_comment,
-        "voted": comment.user_voted,
-        "bookmarked": comment.user_bookmarked,
+        "voted": voted,
+        "bookmarked": bookmarked,
     }