forgejo/models/moderation/abuse_report_detailed.go

// Copyright 2025 The Forgejo Authors. All rights reserved.
// SPDX-License-Identifier: GPL-3.0-or-later

package moderation

import (
	"context"
	"fmt"
	"strings"

	"forgejo.org/models/db"
	"forgejo.org/modules/setting"
	"forgejo.org/modules/timeutil"

	"xorm.io/builder"
)

type AbuseReportDetailed struct {
	AbuseReport        `xorm:"extends"`
	ReportedTimes      int // only for overview
	ReporterName       string
	ContentReference   string
	ShadowCopyDate     timeutil.TimeStamp // only for details
	ShadowCopyRawValue string             // only for details
}

func (ard AbuseReportDetailed) ContentTypeIconName() string {
	switch ard.ContentType {
	case ReportedContentTypeUser:
		return "octicon-person"
	case ReportedContentTypeRepository:
		return "octicon-repo"
	case ReportedContentTypeIssue:
		return "octicon-issue-opened"
	case ReportedContentTypeComment:
		return "octicon-comment"
	default:
		return "octicon-question"
	}
}

func (ard AbuseReportDetailed) ContentURL() string {
	switch ard.ContentType {
	case ReportedContentTypeUser:
		return strings.TrimLeft(ard.ContentReference, "@")
	case ReportedContentTypeIssue:
		return strings.ReplaceAll(ard.ContentReference, "#", "/issues/")
	default:
		return ard.ContentReference
	}
}

func GetOpenReports(ctx context.Context) ([]*AbuseReportDetailed, error) {
	var reports []*AbuseReportDetailed

	// - For PostgreSQL user table name should be escaped.
	//   - Escaping can be done with double quotes (") but this doesn't work for MariaDB.
	// - For SQLite index column name should be escaped.
	//   - Escaping can be done with double quotes (") or backticks (`).
	// - For MariaDB/MySQL there is no need to escape the above.
	// - Therefore we will use double quotes (") but only for PostgreSQL and SQLite.
	identifierEscapeChar := ``
	if setting.Database.Type.IsPostgreSQL() || setting.Database.Type.IsSQLite3() {
		identifierEscapeChar = `"`
	}

	err := db.GetEngine(ctx).SQL(fmt.Sprintf(`SELECT AR.*, ARD.reported_times, U.name AS reporter_name, REFS.ref AS content_reference
		FROM abuse_report AR
		INNER JOIN (
			SELECT min(id) AS id, count(id) AS reported_times
			FROM abuse_report
			WHERE status = %[2]d
			GROUP BY content_type, content_id
		) ARD ON ARD.id = AR.id
		LEFT JOIN %[1]suser%[1]s U ON U.id = AR.reporter_id
		LEFT JOIN (
			SELECT %[3]d AS type, id, concat('@', name) AS "ref"
			FROM %[1]suser%[1]s WHERE id IN (
				SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[3]d
			)
			UNION
			SELECT %[4]d AS "type", id, concat(owner_name, '/', name) AS "ref"
			FROM repository WHERE id IN (
				SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[4]d
			)
			UNION
			SELECT %[5]d AS "type", I.id, concat(IR.owner_name, '/', IR.name, '#', I.%[1]sindex%[1]s) AS "ref"
			FROM issue I
			LEFT JOIN repository IR ON IR.id = I.repo_id
			WHERE I.id IN (
				SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[5]d
			)
			UNION
			SELECT %[6]d AS "type", C.id, concat(CIR.owner_name, '/', CIR.name, '/issues/', CI.%[1]sindex%[1]s, '#issuecomment-', C.id) AS "ref"
			FROM comment C
			LEFT JOIN issue CI ON CI.id = C.issue_id
			LEFT JOIN repository CIR ON CIR.id = CI.repo_id
			WHERE C.id IN (
				SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[6]d
			)
		) REFS ON REFS.type = AR.content_type AND REFS.id = AR.content_id
		ORDER BY AR.created_unix ASC`, identifierEscapeChar, ReportStatusTypeOpen,
		ReportedContentTypeUser, ReportedContentTypeRepository, ReportedContentTypeIssue, ReportedContentTypeComment)).
		Find(&reports)
	if err != nil {
		return nil, err
	}
	return reports, nil
}

func GetOpenReportsByTypeAndContentID(ctx context.Context, contentType ReportedContentType, contentID int64) ([]*AbuseReportDetailed, error) {
	var reports []*AbuseReportDetailed

	// Some remarks concerning PostgreSQL:
	// - user table should be escaped (e.g. `user`);
	// - tried to use aliases for table names but errors like 'invalid reference to FROM-clause entry'
	//   or 'missing FROM-clause entry' were returned;
	err := db.GetEngine(ctx).
		Select("abuse_report.*, `user`.name AS reporter_name, abuse_report_shadow_copy.created_unix AS shadow_copy_date, abuse_report_shadow_copy.raw_value AS shadow_copy_raw_value").
		Table("abuse_report").
		Join("LEFT", "user", "`user`.id = abuse_report.reporter_id").
		Join("LEFT", "abuse_report_shadow_copy", "abuse_report_shadow_copy.id = abuse_report.shadow_copy_id").
		Where(builder.Eq{
			"content_type": contentType,
			"content_id":   contentID,
			"status":       ReportStatusTypeOpen,
		}).
		Asc("abuse_report.created_unix").
		Find(&reports)
	if err != nil {
		return nil, err
	}

	return reports, nil
}
feat: Admin interface for abuse reports (#7905) - Implementation of milestone 5. from Task F. Moderation features: Reporting (part of [amendment of the workplan](https://codeberg.org/forgejo/sustainability/src/branch/main/2022-12-01-nlnet/2025-02-07-extended-workplan.md#task-f-moderation-features-reporting) for NLnet 2022-12-035): `5. Forgejo admins can see a list of reports` There is a lot of room for improvements, but it was decided to start with a basic version so that feedback can be collected from real-life usages (based on which the UI might change a lot). - Also covers milestone 2. from same Task F. Moderation features: Reporting: `2. Reports from multiple users are combined in the database and don't create additional reports.` But instead of combining the reports when stored, they are grouped when retrieved (it was concluded _that it might be preferable to take care of the deduplication while implementing the admin interface_; see https://codeberg.org/forgejo/forgejo/pulls/7939#issuecomment-4841754 for more details). --- Follow-up of !6977 ### See also: - forgejo/design#30 --- This adds a new _Moderation reports_ section (/admin/moderation/reports) within the _Site administration_ page, where administrators can see an overview with the submitted abuse reports that are still open (not yet handled in any way). When multiple reports exist for the same content (submitted by distinct users) only the first one will be shown in the list and a counter can be seen on the right side (indicating the number of open reports for the same content type and ID). Clicking on the counter or the icon from the right side will open the details page where a list with all the reports (when multiple) linked to the reported content is available, as well as any shadow copy saved for the current report(s). The new section is available only when moderation in enabled ([moderation] ENABLED config is set as true within app.ini). Discussions regarding the UI/UX started with https://codeberg.org/forgejo/design/issues/30#issuecomment-2908849 Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7905 Reviewed-by: Otto <otto@codeberg.org> Reviewed-by: jerger <jerger@noreply.codeberg.org> Co-authored-by: floss4good <floss4good@disroot.org> Co-committed-by: floss4good <floss4good@disroot.org> 2025-07-23 00:20:15 +02:00			`// Copyright 2025 The Forgejo Authors. All rights reserved.`
			`// SPDX-License-Identifier: GPL-3.0-or-later`

			`package moderation`

			`import (`
			`"context"`
			`"fmt"`
			`"strings"`

			`"forgejo.org/models/db"`
			`"forgejo.org/modules/setting"`
			`"forgejo.org/modules/timeutil"`

			`"xorm.io/builder"`
			`)`

			`type AbuseReportDetailed struct {`
			AbuseReport `xorm:"extends"`
			`ReportedTimes int // only for overview`
			`ReporterName string`
			`ContentReference string`
			`ShadowCopyDate timeutil.TimeStamp // only for details`
			`ShadowCopyRawValue string // only for details`
			`}`

			`func (ard AbuseReportDetailed) ContentTypeIconName() string {`
			`switch ard.ContentType {`
			`case ReportedContentTypeUser:`
			`return "octicon-person"`
			`case ReportedContentTypeRepository:`
			`return "octicon-repo"`
			`case ReportedContentTypeIssue:`
			`return "octicon-issue-opened"`
			`case ReportedContentTypeComment:`
			`return "octicon-comment"`
			`default:`
			`return "octicon-question"`
			`}`
			`}`

			`func (ard AbuseReportDetailed) ContentURL() string {`
			`switch ard.ContentType {`
			`case ReportedContentTypeUser:`
			`return strings.TrimLeft(ard.ContentReference, "@")`
			`case ReportedContentTypeIssue:`
			`return strings.ReplaceAll(ard.ContentReference, "#", "/issues/")`
			`default:`
			`return ard.ContentReference`
			`}`
			`}`

			`func GetOpenReports(ctx context.Context) ([]*AbuseReportDetailed, error) {`
			`var reports []*AbuseReportDetailed`

			`// - For PostgreSQL user table name should be escaped.`
			`// - Escaping can be done with double quotes (") but this doesn't work for MariaDB.`
			`// - For SQLite index column name should be escaped.`
			// - Escaping can be done with double quotes (") or backticks (`).
			`// - For MariaDB/MySQL there is no need to escape the above.`
			`// - Therefore we will use double quotes (") but only for PostgreSQL and SQLite.`
			identifierEscapeChar := ``
			`if setting.Database.Type.IsPostgreSQL() \|\| setting.Database.Type.IsSQLite3() {`
			identifierEscapeChar = `"`
			`}`

			err := db.GetEngine(ctx).SQL(fmt.Sprintf(`SELECT AR.*, ARD.reported_times, U.name AS reporter_name, REFS.ref AS content_reference
			`FROM abuse_report AR`
			`INNER JOIN (`
			`SELECT min(id) AS id, count(id) AS reported_times`
			`FROM abuse_report`
			`WHERE status = %[2]d`
			`GROUP BY content_type, content_id`
			`) ARD ON ARD.id = AR.id`
			`LEFT JOIN %[1]suser%[1]s U ON U.id = AR.reporter_id`
			`LEFT JOIN (`
			`SELECT %[3]d AS type, id, concat('@', name) AS "ref"`
			`FROM %[1]suser%[1]s WHERE id IN (`
			`SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[3]d`
			`)`
			`UNION`
			`SELECT %[4]d AS "type", id, concat(owner_name, '/', name) AS "ref"`
			`FROM repository WHERE id IN (`
			`SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[4]d`
			`)`
			`UNION`
			`SELECT %[5]d AS "type", I.id, concat(IR.owner_name, '/', IR.name, '#', I.%[1]sindex%[1]s) AS "ref"`
			`FROM issue I`
			`LEFT JOIN repository IR ON IR.id = I.repo_id`
			`WHERE I.id IN (`
			`SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[5]d`
			`)`
			`UNION`
			`SELECT %[6]d AS "type", C.id, concat(CIR.owner_name, '/', CIR.name, '/issues/', CI.%[1]sindex%[1]s, '#issuecomment-', C.id) AS "ref"`
			`FROM comment C`
			`LEFT JOIN issue CI ON CI.id = C.issue_id`
			`LEFT JOIN repository CIR ON CIR.id = CI.repo_id`
			`WHERE C.id IN (`
			`SELECT content_id FROM abuse_report WHERE status = %[2]d AND content_type = %[6]d`
			`)`
			`) REFS ON REFS.type = AR.content_type AND REFS.id = AR.content_id`
			ORDER BY AR.created_unix ASC`, identifierEscapeChar, ReportStatusTypeOpen,
			`ReportedContentTypeUser, ReportedContentTypeRepository, ReportedContentTypeIssue, ReportedContentTypeComment)).`
			`Find(&reports)`
			`if err != nil {`
			`return nil, err`
			`}`
			`return reports, nil`
			`}`

			`func GetOpenReportsByTypeAndContentID(ctx context.Context, contentType ReportedContentType, contentID int64) ([]*AbuseReportDetailed, error) {`
			`var reports []*AbuseReportDetailed`

			`// Some remarks concerning PostgreSQL:`
			// - user table should be escaped (e.g. `user`);
			`// - tried to use aliases for table names but errors like 'invalid reference to FROM-clause entry'`
			`// or 'missing FROM-clause entry' were returned;`
			`err := db.GetEngine(ctx).`
			Select("abuse_report.*, `user`.name AS reporter_name, abuse_report_shadow_copy.created_unix AS shadow_copy_date, abuse_report_shadow_copy.raw_value AS shadow_copy_raw_value").
			`Table("abuse_report").`
			Join("LEFT", "user", "`user`.id = abuse_report.reporter_id").
			`Join("LEFT", "abuse_report_shadow_copy", "abuse_report_shadow_copy.id = abuse_report.shadow_copy_id").`
			`Where(builder.Eq{`
			`"content_type": contentType,`
			`"content_id": contentID,`
			`"status": ReportStatusTypeOpen,`
			`}).`
			`Asc("abuse_report.created_unix").`
			`Find(&reports)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return reports, nil`
			`}`