fix: add post permission checks to comment interaction endpoints

[lsabor]

Closes several secondary permission gaps where users could interact with comments on posts they don't have access to:

• comment_toggle_cmm_view, comment_report_api_view: add can_view check
• comments_of_week_view: filter entries to posts visible to the user
• key_factor_vote_view, comment_suggested_key_factors_view: add can_view check

Summary by CodeRabbit

• Bug Fixes
  • Comment toggle and report endpoints now enforce user access permissions
  • Key factor voting and suggestion features now require proper authorization checks
  • Weekly top comments view updated to respect user access permissions

[coderabbitai]

📝 Walkthrough

Walkthrough

Two comment view modules (comments/views/common.py and comments/views/key_factors.py) gain ObjectPermission.can_view checks on four endpoints. The weekly top-comments query is additionally restricted to posts visible to the requesting user via Post.objects.filter_permission.

Changes

Authorization enforcement on comment endpoints

Layer / File(s)	Summary
Permission gates in comment common views comments/views/common.py	Adds Post import; enforces ObjectPermission.can_view on comment.on_post in comment_toggle_cmm_view and comment_report_api_view; filters comments_of_week_view top-comments query to posts permitted for the requesting user (None for unauthenticated).
Permission gates in key-factor views comments/views/key_factors.py	Adds ObjectPermission.can_view(..., raise_exception=True) checks in key_factor_vote_view (against the key factor's post) and comment_suggested_key_factors_view (against comment.on_post) before any further processing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Metaculus/metaculus#4533: Also modifies key_factor_vote_view in comments/views/key_factors.py, adding vote-reason return logic to the same function that this PR now gates with an authorization check.

Poem

🐇 Hippity-hop, no peeking around,
The rabbit locked posts that shouldn't be found!
can_view now guards each toggle and vote,
Unauthenticated eyes get a polite "no" note.
Security's tighter, the warren is sound! 🔒

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding post permission checks to comment interaction endpoints, which directly matches the changeset's core objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch followup/comment-access-perms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

comments/views/common.py (1)

244-258: ⚠️ Potential issue | 🟠 Major

Guard against None value in on_post before the permission check.

The on_post field in the Comment model is defined with null=True, allowing it to be None. However, get_post_permission_for_user(post) accesses post.id (line 355 in posts/services/common.py), which will crash if post is None. The existing guard at line 255 comes too late—it should be moved before the permission check.

Proposed fix

 def comment_report_api_view(request, pk=int):
     comment = get_object_or_404(Comment, pk=pk)
     post = comment.on_post
 
+    if not post:
+        return Response(
+            {"error": "Comment is not associated with a post"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+
     permission = get_post_permission_for_user(post, user=request.user)
     ObjectPermission.can_view(permission, raise_exception=True)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@comments/views/common.py` around lines 244 - 258, The comment_report_api_view
function retrieves post from comment.on_post which can be None due to null=True
in the model definition, but then immediately passes this potentially None value
to get_post_permission_for_user which will crash when accessing post.id. Move
the guard check for None post value before the permission check call, raising an
appropriate 404 exception if post is None, rather than waiting until after the
permission validation to check if post exists.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@comments/views/common.py`:
- Around line 244-258: The comment_report_api_view function retrieves post from
comment.on_post which can be None due to null=True in the model definition, but
then immediately passes this potentially None value to
get_post_permission_for_user which will crash when accessing post.id. Move the
guard check for None post value before the permission check call, raising an
appropriate 404 exception if post is None, rather than waiting until after the
permission validation to check if post exists.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 96c62404-c0f5-44ee-9c06-cd21528f0edb

📥 Commits

Reviewing files that changed from the base of the PR and between dc85eaa and 157e96e.

📒 Files selected for processing (2)

• comments/views/common.py
• comments/views/key_factors.py

[github-actions]

🚀 Preview Environment

Your preview environment is ready!

Resource	Details
🌐 Preview URL	https://metaculus-pr-4912-followup-comment-access-perms-preview.mtcl.cc
📦 Docker Image	ghcr.io/metaculus/metaculus:followup-comment-access-perms-157e96e
🗄️ PostgreSQL	NeonDB branch preview/pr-4912-followup-comment-access-perms
⚡ Redis	Fly Redis mtc-redis-pr-4912-followup-comment-access-perms

Details

• Commit: 8936ee28fbc514c2e5b8f6671e106b617262c94a
• Branch: followup/comment-access-perms
• Fly App: metaculus-pr-4912-followup-comment-access-perms

---

ℹ️ Preview Environment Info

Isolation:

• PostgreSQL and Redis are fully isolated from production
• Each PR gets its own database branch and Redis instance
• Changes pushed to this PR will trigger a new deployment

Limitations:

• Background workers and cron jobs are not deployed in preview environments
• If you need to test background jobs, use Heroku staging environments

Cleanup:

• This preview will be automatically destroyed when the PR is closed