feat!: Abusive content reporting (#6977)

This implements milestones 1. and 4. from **Task F. Moderation features: Reporting** (part of [amendment of the workplan](https://codeberg.org/forgejo/sustainability/src/branch/main/2022-12-01-nlnet/2025-02-07-extended-workplan.md#task-f-moderation-features-reporting) for NLnet 2022-12-035):

> 1. A reporting feature is implemented in the database. It ensures that content remains available for review, even if a user deletes it after a report was sent.

> 4. Users can report the most relevant content types (at least: issue comments, repositories, users)

### See also:
- forgejo/discussions#291
- forgejo/discussions#304
- forgejo/design#30

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/6977
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Reviewed-by: Otto <otto@codeberg.org>
Co-authored-by: floss4good <floss4good@disroot.org>
Co-committed-by: floss4good <floss4good@disroot.org>

services/moderation/reporting.go

@@ -0,0 +1,129 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package moderation
+
+import (
+	"errors"
+
+	"forgejo.org/models/issues"
+	"forgejo.org/models/moderation"
+	"forgejo.org/models/perm"
+	access_model "forgejo.org/models/perm/access"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/models/unit"
+	"forgejo.org/models/user"
+	"forgejo.org/modules/log"
+	"forgejo.org/services/context"
+)
+
+var (
+	ErrContentDoesNotExist = errors.New("the content to be reported does not exist")
+	ErrDoerNotAllowed      = errors.New("doer not allowed to access the content to be reported")
+)
+
+// CanReport checks if doer has access to the content they are reporting
+// (user, organization, repository, issue, pull request or comment).
+// When reporting repositories the user should have at least read access to any repo unit type.
+// When reporting issues, pull requests or comments the user should have at least read access
+// to 'TypeIssues', respectively 'TypePullRequests' unit for the repository where the content belongs.
+// When reporting users or organizations doer should be able to view the reported entity.
+func CanReport(ctx context.Context, doer *user.User, contentType moderation.ReportedContentType, contentID int64) (bool, error) {
+	hasAccess := false
+	var issueID int64
+	var repoID int64
+	unitType := unit.TypeInvalid // used when checking access for issues, pull requests or comments
+
+	if contentType == moderation.ReportedContentTypeUser {
+		reportedUser, err := user.GetUserByID(ctx, contentID)
+		if err != nil {
+			if user.IsErrUserNotExist(err) {
+				log.Warn("User #%d wanted to report user #%d but it does not exist.", doer.ID, contentID)
+				return false, ErrContentDoesNotExist
+			}
+			return false, err
+		}
+
+		hasAccess = user.IsUserVisibleToViewer(ctx, reportedUser, ctx.Doer)
+		if !hasAccess {
+			log.Warn("User #%d wanted to report user/org #%d but they are not able to see that profile.", doer.ID, contentID)
+			return false, ErrDoerNotAllowed
+		}
+	} else {
+		// for comments and issues/pulls we need to get the parent repository
+		switch contentType {
+		case moderation.ReportedContentTypeComment:
+			comment, err := issues.GetCommentByID(ctx, contentID)
+			if err != nil {
+				if issues.IsErrCommentNotExist(err) {
+					log.Warn("User #%d wanted to report comment #%d but it does not exist.", doer.ID, contentID)
+					return false, ErrContentDoesNotExist
+				}
+				return false, err
+			}
+			if !comment.Type.HasContentSupport() {
+				// this is not a comment with text and/or attachments
+				log.Warn("User #%d wanted to report comment #%d but it is not a comment with content.", doer.ID, contentID)
+				return false, nil
+			}
+			issueID = comment.IssueID
+		case moderation.ReportedContentTypeIssue:
+			issueID = contentID
+		case moderation.ReportedContentTypeRepository:
+			repoID = contentID
+		}
+
+		if issueID > 0 {
+			issue, err := issues.GetIssueByID(ctx, issueID)
+			if err != nil {
+				if issues.IsErrIssueNotExist(err) {
+					log.Warn("User #%d wanted to report issue #%d (or one of its comments) but it does not exist.", doer.ID, issueID)
+					return false, ErrContentDoesNotExist
+				}
+				return false, err
+			}
+
+			repoID = issue.RepoID
+			if issue.IsPull {
+				unitType = unit.TypePullRequests
+			} else {
+				unitType = unit.TypeIssues
+			}
+		}
+
+		if repoID > 0 {
+			repo, err := repo_model.GetRepositoryByID(ctx, repoID)
+			if err != nil {
+				if repo_model.IsErrRepoNotExist(err) {
+					log.Warn("User #%d wanted to report repository #%d (or one of its issues / comments) but it does not exist.", doer.ID, repoID)
+					return false, ErrContentDoesNotExist
+				}
+				return false, err
+			}
+
+			if issueID > 0 {
+				// for comments and issues/pulls doer should have at least read access to the corresponding repo unit (issues, respectively pull requests)
+				hasAccess, err = access_model.HasAccessUnit(ctx, doer, repo, unitType, perm.AccessModeRead)
+				if err != nil {
+					return false, err
+				} else if !hasAccess {
+					log.Warn("User #%d wanted to report issue #%d or one of its comments from repository #%d but they don't have access to it.", doer.ID, issueID, repoID)
+					return false, ErrDoerNotAllowed
+				}
+			} else {
+				// for repositories doer should have at least read access to at least one repo unit
+				perm, err := access_model.GetUserRepoPermission(ctx, repo, doer)
+				if err != nil {
+					return false, err
+				}
+				hasAccess = perm.CanReadAny(unit.AllRepoUnitTypes...)
+				if !hasAccess {
+					log.Warn("User #%d wanted to report repository #%d but they don't have access to it.", doer.ID, repoID)
+					return false, ErrDoerNotAllowed
+				}
+			}
+		}
+	}
+
+	return hasAccess, nil
+}