Allow removal of unwanted mentions

Mainly for team admins to moderate team tags, but also for users to
remove spam. For now, we only delete the mention entry, we do not allow
to change the note otherwise, even for team admins.

Author: dutow

app/assets/stylesheets/components/notes.css

@@ -90,13 +90,38 @@
 }
 
 .note-mention {
+  display: inline-flex;
+  align-items: center;
+  gap: var(--spacing-1);
   background: var(--color-gray-50);
   padding: 2px 8px;
   border-radius: var(--border-radius-sm);
   font-size: var(--font-size-xs);
   color: var(--color-text-primary);
 }
 
+.mention-remove-button {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 14px;
+  height: 14px;
+  padding: 0;
+  margin-left: 2px;
+  background: var(--color-gray-200);
+  border: none;
+  border-radius: 50%;
+  color: var(--color-text-secondary);
+  font-size: 8px;
+  cursor: pointer;
+  transition: background-color var(--transition-fast), color var(--transition-fast);
+}
+
+.mention-remove-button:hover {
+  background: var(--color-danger-bg-hover);
+  color: var(--color-danger-text);
+}
+
 .note-edit-toggle summary {
   cursor: pointer;
   color: var(--color-text-link);

app/controllers/note_mentions_controller.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class NoteMentionsController < ApplicationController
+  before_action :require_authentication
+  before_action :set_mention
+
+  def destroy
+    authorize_removal!
+    return if performed?
+
+    @mention.destroy
+
+    redirect_back fallback_location: topic_path(@mention.note.topic), notice: "Mention removed"
+  end
+
+  private
+
+  def set_mention
+    @mention = NoteMention.find(params[:id])
+  end
+
+  def authorize_removal!
+    mentionable = @mention.mentionable
+
+    case mentionable
+    when User
+      unless mentionable.id == current_user.id
+        redirect_back fallback_location: topic_path(@mention.note.topic), alert: "You can only remove your own mentions"
+      end
+    when Team
+      unless mentionable.admin?(current_user)
+        redirect_back fallback_location: topic_path(@mention.note.topic), alert: "Only team admins can remove team mentions"
+      end
+    else
+      redirect_back fallback_location: topic_path(@mention.note.topic), alert: "Cannot remove this mention"
+    end
+  end
+end

app/helpers/application_helper.rb

@@ -75,4 +75,18 @@ def note_mention_label(mention)
       "@unknown"
     end
   end
+
+  def can_remove_note_mention?(mention, user)
+    return false unless user
+    mentionable = mention.mentionable
+
+    case mentionable
+    when User
+      mentionable.id == user.id
+    when Team
+      mentionable.admin?(user)
+    else
+      false
+    end
+  end
 end

app/views/notes/_note.html.slim

@@ -16,7 +16,11 @@
     .note-mentions
       span.note-mentions-label Mentions:
       - note.note_mentions.each do |mention|
-        span.note-mention = note_mention_label(mention)
+        span.note-mention
+          = note_mention_label(mention)
+          - if can_remove_note_mention?(mention, current_user)
+            = button_to note_mention_path(mention), method: :delete, class: "mention-remove-button", title: "Remove this mention", form: { data: { turbo_confirm: "Remove yourself from this note's mentions?" } } do
+              i.fa-solid.fa-xmark
 
   - if current_user&.id == note.author_id
     .note-actions-row

config/routes.rb

@@ -60,6 +60,7 @@
     post :mark_all_read, on: :collection
   end
   resources :notes, only: [:create, :update, :destroy]
+  resources :note_mentions, only: [:destroy]
   get "stats", to: "stats#show", as: :stats
   get "stats/data", to: "stats#data", as: :stats_data
 

spec/requests/note_mentions_spec.rb

@@ -0,0 +1,124 @@
+require "rails_helper"
+
+RSpec.describe "NoteMentions", type: :request do
+  def sign_in(email:, password: "secret")
+    post session_path, params: { email: email, password: password }
+    expect(response).to redirect_to(root_path)
+  end
+
+  def attach_verified_alias(user, email:, primary: true)
+    al = create(:alias, user: user, email: email)
+    if primary && user.person&.default_alias_id.nil?
+      user.person.update!(default_alias_id: al.id)
+    end
+    Alias.by_email(email).update_all(verified_at: Time.current)
+    al
+  end
+
+  let!(:topic) { create(:topic) }
+  let!(:author) { create(:user, password: "secret", password_confirmation: "secret") }
+  let!(:mentioned_user) { create(:user, password: "secret", password_confirmation: "secret") }
+  let!(:other_user) { create(:user, password: "secret", password_confirmation: "secret") }
+  let!(:team) { create(:team) }
+  let!(:team_admin) { create(:user, password: "secret", password_confirmation: "secret") }
+  let!(:team_member) { create(:user, password: "secret", password_confirmation: "secret") }
+
+  let!(:note) { Note.create!(topic: topic, author: author, body: "A note") }
+  let!(:user_mention) { NoteMention.create!(note: note, mentionable: mentioned_user) }
+  let!(:team_mention) { NoteMention.create!(note: note, mentionable: team) }
+
+  before do
+    create(:team_member, team: team, user: team_admin, role: "admin")
+    create(:team_member, team: team, user: team_member, role: "member")
+  end
+
+  describe "DELETE /note_mentions/:id" do
+    context "when user removes their own mention" do
+      before do
+        attach_verified_alias(mentioned_user, email: "mentioned@example.com")
+        sign_in(email: "mentioned@example.com")
+      end
+
+      it "allows the mentioned user to remove their own mention" do
+        expect {
+          delete note_mention_path(user_mention)
+        }.to change(NoteMention, :count).by(-1)
+
+        expect(response).to redirect_to(topic_path(topic))
+        expect(flash[:notice]).to eq("Mention removed")
+      end
+    end
+
+    context "when user tries to remove another user's mention" do
+      before do
+        attach_verified_alias(other_user, email: "other@example.com")
+        sign_in(email: "other@example.com")
+      end
+
+      it "prevents removing another user's mention" do
+        expect {
+          delete note_mention_path(user_mention)
+        }.not_to change(NoteMention, :count)
+
+        expect(response).to redirect_to(topic_path(topic))
+        expect(flash[:alert]).to eq("You can only remove your own mentions")
+      end
+    end
+
+    context "when team admin removes team mention" do
+      before do
+        attach_verified_alias(team_admin, email: "teamadmin@example.com")
+        sign_in(email: "teamadmin@example.com")
+      end
+
+      it "allows team admin to remove team mention" do
+        expect {
+          delete note_mention_path(team_mention)
+        }.to change(NoteMention, :count).by(-1)
+
+        expect(response).to redirect_to(topic_path(topic))
+        expect(flash[:notice]).to eq("Mention removed")
+      end
+    end
+
+    context "when team member (non-admin) tries to remove team mention" do
+      before do
+        attach_verified_alias(team_member, email: "teammember@example.com")
+        sign_in(email: "teammember@example.com")
+      end
+
+      it "prevents non-admin team members from removing team mention" do
+        expect {
+          delete note_mention_path(team_mention)
+        }.not_to change(NoteMention, :count)
+
+        expect(response).to redirect_to(topic_path(topic))
+        expect(flash[:alert]).to eq("Only team admins can remove team mentions")
+      end
+    end
+
+    context "when non-team member tries to remove team mention" do
+      before do
+        attach_verified_alias(other_user, email: "other@example.com")
+        sign_in(email: "other@example.com")
+      end
+
+      it "prevents non-members from removing team mention" do
+        expect {
+          delete note_mention_path(team_mention)
+        }.not_to change(NoteMention, :count)
+
+        expect(response).to redirect_to(topic_path(topic))
+        expect(flash[:alert]).to eq("Only team admins can remove team mentions")
+      end
+    end
+
+    context "when not signed in" do
+      it "requires authentication" do
+        delete note_mention_path(user_mention)
+
+        expect(response).to redirect_to(new_session_path)
+      end
+    end
+  end
+end