✨(backend) add comment viewset

This commit add the CRUD part to manage comment lifeycle. Permissions
are relying on the Document and Comment abilities. Comment viewset
depends on the Document route and is added to the
document_related_router. Dedicated serializer and permission are
created.

src/backend/core/api/permissions.py

@@ -171,3 +171,19 @@ class ResourceAccessPermission(IsAuthenticated):
 
         action = view.action
         return abilities.get(action, False)
+
+
+class CommentPermission(permissions.BasePermission):
+    """Permission class for comments."""
+
+    def has_permission(self, request, view):
+        """Check permission for a given object."""
+        if view.action in ["create", "list"]:
+            document_abilities = view.get_document_or_404().get_abilities(request.user)
+            return document_abilities["comment"]
+
+        return True
+
+    def has_object_permission(self, request, view, obj):
+        """Check permission for a given object."""
+        return obj.get_abilities(request.user).get(view.action, False)

src/backend/core/api/serializers.py

@@ -891,3 +891,47 @@ class MoveDocumentSerializer(serializers.Serializer):
         choices=enums.MoveNodePositionChoices.choices,
         default=enums.MoveNodePositionChoices.LAST_CHILD,
     )
+
+
+class CommentSerializer(serializers.ModelSerializer):
+    """Serialize comments."""
+
+    user = UserLightSerializer(read_only=True)
+    abilities = serializers.SerializerMethodField(read_only=True)
+
+    class Meta:
+        model = models.Comment
+        fields = [
+            "id",
+            "content",
+            "created_at",
+            "updated_at",
+            "user",
+            "document",
+            "abilities",
+        ]
+        read_only_fields = [
+            "id",
+            "created_at",
+            "updated_at",
+            "user",
+            "document",
+            "abilities",
+        ]
+
+    def get_abilities(self, comment) -> dict:
+        """Return abilities of the logged-in user on the instance."""
+        request = self.context.get("request")
+        if request:
+            return comment.get_abilities(request.user)
+        return {}
+
+    def validate(self, attrs):
+        """Validate invitation data."""
+        request = self.context.get("request")
+        user = getattr(request, "user", None)
+
+        attrs["document_id"] = self.context["resource_id"]
+        attrs["user_id"] = user.id if user else None
+
+        return attrs

src/backend/core/api/viewsets.py

@@ -2150,3 +2150,36 @@ class ConfigView(drf.views.APIView):
             )
 
         return theme_customization
+
+
+class CommentViewSet(
+    viewsets.ModelViewSet,
+):
+    """API ViewSet for comments."""
+
+    permission_classes = [permissions.CommentPermission]
+    queryset = models.Comment.objects.select_related("user", "document").all()
+    serializer_class = serializers.CommentSerializer
+    pagination_class = Pagination
+    _document = None
+
+    def get_document_or_404(self):
+        """Get the document related to the viewset or raise a 404 error."""
+        if self._document is None:
+            try:
+                self._document = models.Document.objects.get(
+                    pk=self.kwargs["resource_id"],
+                )
+            except models.Document.DoesNotExist as e:
+                raise drf.exceptions.NotFound("Document not found.") from e
+        return self._document
+
+    def get_serializer_context(self):
+        """Extra context provided to the serializer class."""
+        context = super().get_serializer_context()
+        context["resource_id"] = self.kwargs["resource_id"]
+        return context
+
+    def get_queryset(self):
+        """Return the queryset according to the action."""
+        return super().get_queryset().filter(document=self.kwargs["resource_id"])