Merge lp:~aaronp/rnr-server/delete-review into lp:rnr-server

On Mon, May 2, 2011 at 3:21 PM, Aaron Peachey <email address hidden> wrote:
Aaron Peachey has proposed merging lp:~aaronp/rnr-server/delete-review into lp:rnr-server.

Requested reviews:
 Ratings and Reviews Developers (rnr-developers)

Hey Aaron! Thanks for the branch!

For more details, see:
https://code.launchpad.net/~aaronp/rnr-server/delete-review/+merge/59658

add's functionality for a user to self-delete a review they have submitted.

Great!

Adds a new field in the Review model to hold a date/time of deletion (where null = not deleted) and uses existing hide flag.

A thought - can the review be unhidden by some other process? ie., something like:

1) users creates review,
2) it gets flagged (and is hidden)
3) user deletes review (deletion tiime set, already hidden), but still in moderation queue
4) moderator marks the review as OK (and it is unhidden, even though deletion timestamp is set).

I guess we just need to ensure that these reviews don't appear for moderation? What do you think?

Also, whenever we change the database models, we need to create a new migration so that the production databases can be updated. Normally this is as simple as `fab manage:'migrate reviewsapp add_deletion_timestamp --auto'`. But if it's a hassle, I can add that on to your branch afterwards.

Some other thoughts below.

--

https://code.launchpad.net/~aaronp/rnr-server/delete-review/+merge/59658
Your team Ratings and Reviews Developers is requested to review the proposed merge of lp:~aaronp/rnr-server/delete-review into lp:rnr-server.

=== modified file 'src/reviewsapp/api/handlers.py'
--- src/reviewsapp/api/handlers.py 2011-04-12 10:43:30 +0000
+++ src/reviewsapp/api/handlers.py 2011-05-02 13:21:35 +0000
@@ -27,6 +27,7 @@
    'ShowReviewsHandler',
    'SubmitReviewHandler',
    'ShowUsefulnessHandler',
+ 'DeleteReviewHandler',
 ]

 import urllib
@@ -37,6 +38,7 @@
    HttpResponse,
    HttpResponseBadRequest,
    HttpResponseNotFound,
+ HttpResponseForbidden,
    )
 from django.shortcuts import get_object_or_404
 from django.utils import simplejson
@@ -236,6 +238,23 @@

        return review

+class DeleteReviewHandler(BaseHandler):
+ allowed_methods = ('POST',)

Unrelated to your branch (as we already seem to have these multiple handlers), but we should have been able to have a single handler resource that takes different methods... ie, rather than creating a new handler here and using a POST, we could use I've not used the functionality yet, but we should really be able to have a siingle ReviewHandler that uses create (POST), read (GET), update (PUT), etc.

Depending how you feel about it, I might even have a go at renaming the SubmitReviewHandler to do this when you've finished, or let me know if it's something that interests you too.

+
+ def create(self, request, review_id):
+ try:
+ review = Review.objects.get(id=review_id)
+ except Review.DoesNotExist:
+ return HttpResponseNotFound('No matching review found')

We should be able to simplify the above with a single:

get_object_or_404(Review, id=review_id)

+
+ try:
+ deleted = review.delete(request.user)
+ ...

Actually, I was just chatting with achuni about this:

{{{
14:25 <achuni> we need to add a bit of doc or a comment to urls.py
14:26 <achuni> so that people consider the http/https issue when adding a new url
14:26 <achuni> while you're there...
14:27 <achuni> could you ask him to change it to /reviews/delete/<id>/?
14:27 <achuni> I know it's nicer to be able to say /reviews/42 -> brings the review, and /reviews/42/delete -> deletes it
14:28 <achuni> but /reviews/42 is a public (http) request, and /reviews/42/delete needs to be authenticated
14:28 <noodles> oh,
14:29 <noodles> that rules out my suggestion, which was GET /reviews/42 to get, and PUT /reviews/42 to update it (for eg., setting date_deleted)
14:29 <achuni> as a rule of thumb, it's best to leave all the variable part of the url pattern at the end, and make sure it has a unique non-variable prefix
14:29 <achuni> ah that would be extremely hard to do also :-/
14:29 <noodles> yep.
14:29 <achuni> well, unless we don't care about doing https for everybody
14:29 <achuni> but it screws with caching
14:30 <achuni> (I understand retrieved reviews aren't cached if they're fetched over https)
14:30 <noodles> Is it not possible to do GET as http, and PUT/POST/DELETE etc. as https? or is it url only?
14:30 <achuni> (piston-mini-client should fix that really... sucky pos)
14:31 <achuni> atm piston-mini-client distinguishes them by url
14:31 <achuni> ...and Apache's redirect rules do so too I think?
14:31 <achuni> or can Apache say "this url, if it's a GET request, redirect to http"?
14:31 <achuni> I'd bet it can do that, yeah
14:32 <achuni> but we'd still need to realize (on the server) that one url would sometimes need to be authenticated, others not
14:32 <noodles> http://stackoverflow.com/questions/2838728/rewrite-url-for-put-request
}}}

So for the moment, it might be best just to modify the url and not worry about the handler changes I mentioned as possibilities. If we find we can do per method apache redirects as above, then I'll do a separate branch updating the handlers.

Hi Michael,
Thanks alot for the speedy review. You can probably tell I'm just feeling my way around django for now so I appreciate the comprehensive feedback.

I'm happy to make the suggested changes from you and achuni and resubmit shortly.

Just a couple of things:
1. Re the risk of a deleted review being unhidden. Good point! Should I just modify the moderation stuff to prevent a review being queued for moderation (or deleted from the queue if it's there already) if it has a deleted date or add a new boolean field ' deleted' (would still need to modify the moderation chide). I'm thinking the latter is cleaner, especially if we want to treat hidden reviews differently to deleted reviews later e.g. Allowing a user to resubmit for that app.

2. Re get_object_or_404 - the reason I differentiated between the reasons is to return more useful feedback to the client, as i've written some code in usc that uses the body of the response to give the user a clue as to why it failed. Would I still be able to do this using thie get_object_or_404 method? I.e. Saying the review does not exist is technically only correct if it can't be found using its id - what do you think?

Cheers
Aaron

> Hi Michael,
> Thanks alot for the speedy review. You can probably tell I'm just feeling my
> way around django for now so I appreciate the comprehensive feedback.

No problem! It's great that you're getting in there from your desktop background :) I hope you're enjoying django!

>
> I'm happy to make the suggested changes from you and achuni and resubmit
> shortly.
>
> Just a couple of things:
> 1. Re the risk of a deleted review being unhidden. Good point! Should I just
> modify the moderation stuff to prevent a review being queued for moderation
> (or deleted from the queue if it's there already) if it has a deleted date or
> add a new boolean field ' deleted' (would still need to modify the moderation
> chide). I'm thinking the latter is cleaner, especially if we want to treat
> hidden reviews differently to deleted reviews later e.g. Allowing a user to
> resubmit for that app.

It should be as simple as updating the query in views.reviewmoderation_list from:
    review_moderations = ReviewModeration.objects.all()
to:
    review_moderations = ReviewModeration.objects.all(review__date_deleted=None)

(and adding a test to ensure they're not included of course). I don't think we need another deleted field given that you've already got date_deleted?

Actually, something else... currently people can't create more than one view for an app (in a given series). See reviewsapp.forms.ReviewForm.clean(), we'll just need a similar update to the filter there used to determine whether the user already has a review, so that they can submit a new one if they delete the old one (?). Does that make sense?

>
> 2. Re get_object_or_404 - the reason I differentiated between the reasons is
> to return more useful feedback to the client, as i've written some code in usc
> that uses the body of the response to give the user a clue as to why it
> failed. Would I still be able to do this using thie get_object_or_404 method?

No - that makes sense if you want to do that, but two points:
 1) I'd be very careful depending on the body of the response (it could be modified, translated etc. in sca without us knowing that it'll affect the client. If you are depending on the body text, I'd check for it in the test and add a comment so it's not removed from the test.
 2) Is it really necessary? Are they not options that should never be presented in the client UI anyway? (A button to delete someone else's review, or a review of your own that you've already deleted?)

> I.e. Saying the review does not exist is technically only correct if it can't
> be found using its id - what do you think?

Right - but I'm not sure how likely the other two are in the client UI, but you're in a better position to know that.

Thanks!
>
> Cheers
> Aaron

Yeah, that makes sense, technically in the client the user should not be allowed to delete the review if it's already deleted or if it's not theirs, so it may be overkill to cater for it here. I'll implement using the get_object_or_404 and we'll see how it goes. If it's coded well enough in client (which it might not be - remember I wrote the code!!) then it shouldn't be an issue.

OK all the changes are made.
I wasn't able to do the migration, as it's complaining that the --auto option doesn't exist (??). Anything I can do there?
I felt my way around the tests a bit and had to make some changes to the factory to make it work. Assuming with default values it won't impact any other tests but not 100% sure.

Thanks again!
Aaron

On Thu, May 5, 2011 at 2:54 PM, Aaron Peachey <email address hidden> wrote:

> Review: Resubmit
> OK all the changes are made.
> I wasn't able to do the migration, as it's complaining that the --auto
> option doesn't exist (??). Anything I can do there?
>

Yeah, sorry, I should have checked the command I gave you. It's:

fab manage:'startmigration reviewsapp add_review_date_deleted --auto'

It'll tell you that a bunch of other fields have changed too,, but most are
just because some model fields have utcnow as the default value, and so can
be deleted from the migration. It should just contain the forward and
backward to add/remove your new column, as well as all the auto-generated
orm data. Either check one of the other simple migrations, or it's fine just
to leave it and I'll add to your branch before landing.

I'll try to get to your other changes asap. Thanks!

> I felt my way around the tests a bit and had to make some changes to the
> factory to make it work. Assuming with default values it won't impact any
> other tests but not 100% sure.
>
> Thanks again!
> Aaron
> --
> https://code.launchpad.net/~aaronp/rnr-server/delete-review/+merge/59658
> You are reviewing the proposed merge of lp:~aaronp/rnr-server/delete-review
> into lp:rnr-server.
>

--

Michael Nelson

Canonical Ltd.

+49 176 491 53481 (mob)

<email address hidden>

IRC nick: noodles (noodles775 on Freenode)

Ubuntu - Linux for human beings | www.ubuntu.com | www.canonical.com

Easy, thanks Michael. I've pushed the migration now too.

One more thing for now. Updated and tested rnrclient (diff below).
Added a test for the rnrclient change and added date_deleted to the fields in the show review handler so it gets returned when a review is successfully deleted (I don't know why this worked, but I took a guess and it did!)

=== modified file 'rnrclient.py'
--- rnrclient.py 2011-03-17 09:17:26 +0000
+++ rnrclient.py 2011-05-05 14:10:04 +0000
@@ -167,3 +167,10 @@

         return self._get('usefulness/', args=data,
             scheme=PUBLIC_API_SCHEME)
+
+ @validate('review_id', int)
+ @returns_json
+ def delete_review(self, review_id):
+ """Delete a review"""
+ return self._post('/reviews/delete/%s/' % review_id, data = {},
+ scheme=AUTHENTICATED_API_SCHEME)

Wow, great work Aaron. AFAICS, there are only a few small tiny issues (again, I'm happy to do them if you're getting sick of me, but if you're keen, go for it :) ).

1) Test ensuring reviews stats updated after delete (you've added the code already). You can either mock the review.softwareitem_in_repository to ensure update_stats is called, or setup the test to check the actual stats afterwards.
2) AFAICS, the two exceptions you created are no longer necessary? (ReviewAlreadyDeleted and ReviewNotUsersOwn)
3) test_delete_review currently just checks that the same review is returned... it should also be checking that hide is false and date_deleted is not none right, like you've done on the api test? (it's tested in part implicitly with test_already_deleted)
4) With test_wrong_user, the first var (reviewer) is never used and unnecessary.

Also, is there a reason to catch the exceptions in your _request_delete_id helper? It hides the fact that an exception is occurring in the test itself, whereas using assertRaises() would make it obvious and explicit.

> Wow, great work Aaron. AFAICS, there are only a few small tiny issues (again,
> I'm happy to do them if you're getting sick of me, but if you're keen, go for
> it :) ).

Thanks. Happy to.

> 1) Test ensuring reviews stats updated after delete (you've added the code
> already). You can either mock the review.softwareitem_in_repository to ensure
> update_stats is called, or setup the test to check the actual stats
> afterwards.
OK, thanks.

> 2) AFAICS, the two exceptions you created are no longer necessary?
> (ReviewAlreadyDeleted and ReviewNotUsersOwn)
Yep, forgot to delete them!

> 3) test_delete_review currently just checks that the same review is
> returned... it should also be checking that hide is false and date_deleted is
> not none right, like you've done on the api test? (it's tested in part
> implicitly with test_already_deleted)
Yep, will change that.

> 4) With test_wrong_user, the first var (reviewer) is never used and
> unnecessary.
Thanks.

>
> Also, is there a reason to catch the exceptions in your _request_delete_id
> helper? It hides the fact that an exception is occurring in the test itself,
> whereas using assertRaises() would make it obvious and explicit.
Thanks for that. It took me a while to figure out how to resolve that (turns out I've used a hack!!) and I didn't know assertRaises existed. Will fix that too.

Cheers. Will resubmit soon.

thanks
Aaron

All changes made. (Re-)Re-submitted.
Thanks

Excellent, thanks Aaron! I'll land the rnrclient change first then this one.