Add scope validation to mention decorator

joshuadavidthomas · joshuadavidthomas · commit d463236e9410 · 2025-06-17T14:56:48.000-05:00
diff --git a/src/django_github_app/commands.py b/src/django_github_app/commands.py
@@ -89,3 +89,25 @@ def check_event_for_mention(
         return True
 
     return any(mention.command == command.lower() for mention in mentions)
+
+
+def check_event_scope(
+    event_type: str, event_data: dict[str, Any], scope: CommandScope | None
+) -> bool:
+    if scope is None:
+        return True
+
+    # For issue_comment events, we need to distinguish between issues and PRs
+    if event_type == "issue_comment":
+        issue = event_data.get("issue", {})
+        is_pull_request = "pull_request" in issue and issue["pull_request"] is not None
+
+        # If scope is ISSUE, we only want actual issues (not PRs)
+        if scope == CommandScope.ISSUE:
+            return not is_pull_request
+        # If scope is PR, we only want pull requests
+        elif scope == CommandScope.PR:
+            return is_pull_request
+
+    scope_events = scope.get_events()
+    return any(event_action.event == event_type for event_action in scope_events)
diff --git a/src/django_github_app/routing.py b/src/django_github_app/routing.py
@@ -16,6 +16,7 @@
 from ._typing import override
 from .commands import CommandScope
 from .commands import check_event_for_mention
+from .commands import check_event_scope
 
 AsyncCallback = Callable[..., Awaitable[None]]
 SyncCallback = Callable[..., None]
@@ -83,6 +84,10 @@ async def async_wrapper(
                 if not check_event_for_mention(event.data, command, username):
                     return
 
+                # Check if the event matches the specified scope
+                if not check_event_scope(event.event, event.data, scope):
+                    return
+
                 # TODO: Check permissions
                 # For now, just call through
                 await func(event, *args, **wrapper_kwargs)  # type: ignore[func-returns-value]
@@ -97,6 +102,10 @@ def sync_wrapper(
                 if not check_event_for_mention(event.data, command, username):
                     return
 
+                # Check if the event matches the specified scope
+                if not check_event_scope(event.event, event.data, scope):
+                    return
+
                 # TODO: Check permissions
                 # For now, just call through
                 func(event, *args, **wrapper_kwargs)
diff --git a/tests/test_commands.py b/tests/test_commands.py
@@ -1,6 +1,8 @@
 from __future__ import annotations
 
+from django_github_app.commands import CommandScope
 from django_github_app.commands import check_event_for_mention
+from django_github_app.commands import check_event_scope
 from django_github_app.commands import parse_mentions
 
 
@@ -194,3 +196,87 @@ def test_multiple_mentions(self):
         assert check_event_for_mention(event, "help", "bot") is True
         assert check_event_for_mention(event, "deploy", "bot") is True
         assert check_event_for_mention(event, "test", "bot") is False
+
+
+class TestCheckEventScope:
+    def test_no_scope_allows_all_events(self):
+        # When no scope is specified, all events should pass
+        assert check_event_scope("issue_comment", {"issue": {}}, None) is True
+        assert check_event_scope("pull_request_review_comment", {}, None) is True
+        assert check_event_scope("commit_comment", {}, None) is True
+
+    def test_issue_scope_on_issue_comment(self):
+        # Issue comment on an actual issue (no pull_request field)
+        issue_event = {"issue": {"title": "Bug report"}}
+        assert (
+            check_event_scope("issue_comment", issue_event, CommandScope.ISSUE) is True
+        )
+
+        # Issue comment on a pull request (has pull_request field)
+        pr_event = {"issue": {"title": "PR title", "pull_request": {"url": "..."}}}
+        assert check_event_scope("issue_comment", pr_event, CommandScope.ISSUE) is False
+
+    def test_pr_scope_on_issue_comment(self):
+        # Issue comment on an actual issue (no pull_request field)
+        issue_event = {"issue": {"title": "Bug report"}}
+        assert check_event_scope("issue_comment", issue_event, CommandScope.PR) is False
+
+        # Issue comment on a pull request (has pull_request field)
+        pr_event = {"issue": {"title": "PR title", "pull_request": {"url": "..."}}}
+        assert check_event_scope("issue_comment", pr_event, CommandScope.PR) is True
+
+    def test_pr_scope_allows_pr_specific_events(self):
+        # PR scope should allow pull_request_review_comment
+        assert (
+            check_event_scope("pull_request_review_comment", {}, CommandScope.PR)
+            is True
+        )
+
+        # PR scope should allow pull_request_review
+        assert check_event_scope("pull_request_review", {}, CommandScope.PR) is True
+
+        # PR scope should not allow commit_comment
+        assert check_event_scope("commit_comment", {}, CommandScope.PR) is False
+
+    def test_commit_scope_allows_commit_comment_only(self):
+        # Commit scope should allow commit_comment
+        assert check_event_scope("commit_comment", {}, CommandScope.COMMIT) is True
+
+        # Commit scope should not allow issue_comment
+        assert (
+            check_event_scope("issue_comment", {"issue": {}}, CommandScope.COMMIT)
+            is False
+        )
+
+        # Commit scope should not allow PR events
+        assert (
+            check_event_scope("pull_request_review_comment", {}, CommandScope.COMMIT)
+            is False
+        )
+
+    def test_issue_scope_disallows_non_issue_events(self):
+        # Issue scope should not allow pull_request_review_comment
+        assert (
+            check_event_scope("pull_request_review_comment", {}, CommandScope.ISSUE)
+            is False
+        )
+
+        # Issue scope should not allow commit_comment
+        assert check_event_scope("commit_comment", {}, CommandScope.ISSUE) is False
+
+    def test_pull_request_field_none_treated_as_issue(self):
+        # If pull_request field exists but is None, treat as issue
+        event_with_none_pr = {"issue": {"title": "Issue", "pull_request": None}}
+        assert (
+            check_event_scope("issue_comment", event_with_none_pr, CommandScope.ISSUE)
+            is True
+        )
+        assert (
+            check_event_scope("issue_comment", event_with_none_pr, CommandScope.PR)
+            is False
+        )
+
+    def test_missing_issue_data(self):
+        # If issue data is missing entirely, default behavior
+        assert check_event_scope("issue_comment", {}, CommandScope.ISSUE) is True
+        assert check_event_scope("issue_comment", {}, CommandScope.PR) is False
diff --git a/tests/test_routing.py b/tests/test_routing.py
@@ -273,3 +273,177 @@ def sync_handler(event, *args, **kwargs):
         test_router.dispatch(event, None)
 
         assert handler_called
+
+    def test_scope_validation_issue_comment_on_issue(self, test_router):
+        """Test that ISSUE scope works for actual issues."""
+        handler_called = False
+
+        @test_router.mention(command="issue-only", scope=CommandScope.ISSUE)
+        def issue_handler(event, *args, **kwargs):
+            nonlocal handler_called
+            handler_called = True
+
+        # Issue comment on an actual issue (no pull_request field)
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {"title": "Bug report", "number": 123},
+                "comment": {"body": "@bot issue-only"},
+            },
+            event="issue_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        assert handler_called
+
+    def test_scope_validation_issue_comment_on_pr(self, test_router):
+        """Test that ISSUE scope rejects PR comments."""
+        handler_called = False
+
+        @test_router.mention(command="issue-only", scope=CommandScope.ISSUE)
+        def issue_handler(event, *args, **kwargs):
+            nonlocal handler_called
+            handler_called = True
+
+        # Issue comment on a pull request (has pull_request field)
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {
+                    "title": "PR title",
+                    "number": 456,
+                    "pull_request": {"url": "https://api.github.com/..."},
+                },
+                "comment": {"body": "@bot issue-only"},
+            },
+            event="issue_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        assert not handler_called
+
+    def test_scope_validation_pr_scope_on_pr(self, test_router):
+        """Test that PR scope works for pull requests."""
+        handler_called = False
+
+        @test_router.mention(command="pr-only", scope=CommandScope.PR)
+        def pr_handler(event, *args, **kwargs):
+            nonlocal handler_called
+            handler_called = True
+
+        # Issue comment on a pull request
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {
+                    "title": "PR title",
+                    "number": 456,
+                    "pull_request": {"url": "https://api.github.com/..."},
+                },
+                "comment": {"body": "@bot pr-only"},
+            },
+            event="issue_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        assert handler_called
+
+    def test_scope_validation_pr_scope_on_issue(self, test_router):
+        """Test that PR scope rejects issue comments."""
+        handler_called = False
+
+        @test_router.mention(command="pr-only", scope=CommandScope.PR)
+        def pr_handler(event, *args, **kwargs):
+            nonlocal handler_called
+            handler_called = True
+
+        # Issue comment on an actual issue
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {"title": "Bug report", "number": 123},
+                "comment": {"body": "@bot pr-only"},
+            },
+            event="issue_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        assert not handler_called
+
+    def test_scope_validation_commit_scope(self, test_router):
+        """Test that COMMIT scope works for commit comments."""
+        handler_called = False
+
+        @test_router.mention(command="commit-only", scope=CommandScope.COMMIT)
+        def commit_handler(event, *args, **kwargs):
+            nonlocal handler_called
+            handler_called = True
+
+        # Commit comment event
+        event = sansio.Event(
+            {
+                "action": "created",
+                "comment": {"body": "@bot commit-only"},
+                "commit": {"sha": "abc123"},
+            },
+            event="commit_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        assert handler_called
+
+    def test_scope_validation_no_scope(self, test_router):
+        """Test that no scope allows all comment types."""
+        call_count = 0
+
+        @test_router.mention(command="all-contexts")
+        def all_handler(event, *args, **kwargs):
+            nonlocal call_count
+            call_count += 1
+
+        # Test on issue
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {"title": "Issue", "number": 1},
+                "comment": {"body": "@bot all-contexts"},
+            },
+            event="issue_comment",
+            delivery_id="123",
+        )
+        test_router.dispatch(event, None)
+
+        # Test on PR
+        event = sansio.Event(
+            {
+                "action": "created",
+                "issue": {
+                    "title": "PR",
+                    "number": 2,
+                    "pull_request": {"url": "..."},
+                },
+                "comment": {"body": "@bot all-contexts"},
+            },
+            event="issue_comment",
+            delivery_id="124",
+        )
+        test_router.dispatch(event, None)
+
+        # Test on commit
+        event = sansio.Event(
+            {
+                "action": "created",
+                "comment": {"body": "@bot all-contexts"},
+                "commit": {"sha": "abc123"},
+            },
+            event="commit_comment",
+            delivery_id="125",
+        )
+        test_router.dispatch(event, None)
+
+        assert call_count == 3
