Research and implement community feedback features

[R44VC0RP]

Add discussion and rating features to rules and feed pages.

This PR implements a comprehensive discussion and rating system to gather community input, improve content quality, and foster engagement, as requested by a customer. It includes:

• Database Schema: New tables for rating, comment, and report.
• API Endpoints: For managing ratings, comments, and reports.
• UI Components: Interactive star ratings, threaded comments with replies, and user avatars.
• Page Integration: Discussion and rating sections on individual rule pages, and aggregated stats (average rating, comment count) on the main feed.
• Moderation: Users can delete their own comments and report inappropriate content.
• Mobile Responsiveness: All new components are optimized for mobile views.

---

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cursor/research-and-implement-community-feedback-features-9bba

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
cursor.link	Error			Aug 30, 2025 5:59pm

[vercel]

Suggested change

{isOwner && <DropdownMenuSeparator />}

Unreachable code: The dropdown separator will never render due to contradictory conditional logic.

View Details

Analysis

Line 181 contains {isOwner && <DropdownMenuSeparator />} inside a block that's already conditioned on {session && !isOwner && (. Since the outer condition requires !isOwner to be true, the inner condition isOwner can never be true, making the separator completely unreachable.

This appears to be a copy-paste error where the separator condition should either be removed entirely (if no separator is needed) or changed to simply <DropdownMenuSeparator /> if a separator should always appear between owner actions and report actions when both sections are present.

Looking at the structure, it seems like the intention was to show a separator between the "Delete" option (for owners) and the "Report" option (for non-owners), but the logic is inverted. The separator should likely be conditional on whether owner actions are present: {session && isOwner && <DropdownMenuSeparator />} to separate owner actions from non-owner actions.

[vercel]

Critical SQL injection vulnerability: User input is directly interpolated into SQL queries without proper sanitization.

View Details

📝 Patch Details

diff --git a/app/api/feed/stats/route.ts b/app/api/feed/stats/route.ts
index 4ded31a..e849dec 100644
--- a/app/api/feed/stats/route.ts
+++ b/app/api/feed/stats/route.ts
@@ -1,7 +1,7 @@
 import { NextRequest, NextResponse } from "next/server"
 import { db } from "@/lib/db"
 import { rating, comment } from "@/lib/schema"
-import { eq, avg, count, sql } from "drizzle-orm"
+import { eq, avg, count, sql, inArray } from "drizzle-orm"
 
 export async function GET(request: NextRequest) {
   try {
@@ -20,7 +20,7 @@ export async function GET(request: NextRequest) {
         totalRatings: count(rating.id),
       })
       .from(rating)
-      .where(sql`${rating.ruleId} = ANY(${ruleIds})`)
+      .where(inArray(rating.ruleId, ruleIds))
       .groupBy(rating.ruleId)
 
     // Get comment counts for all rules
@@ -30,7 +30,7 @@ export async function GET(request: NextRequest) {
         totalComments: count(comment.id),
       })
       .from(comment)
-      .where(sql`${comment.ruleId} = ANY(${ruleIds})`)
+      .where(inArray(comment.ruleId, ruleIds))
       .groupBy(comment.ruleId)
 
     // Combine the stats
@@ -75,4 +75,4 @@ export async function GET(request: NextRequest) {
     console.error("Error fetching feed stats:", error)
     return NextResponse.json({ error: "Internal server error" }, { status: 500 })
   }
-}
\ No newline at end of file
+}

Analysis

Lines 23 and 33 use sql${rating.ruleId} = ANY(${ruleIds}) and `sql`${comment.ruleId} = ANY(${ruleIds}) where ruleIds comes directly from URL query parameters that are split by comma. This creates a SQL injection vulnerability because the user-controlled ruleIds array is interpolated directly into the SQL query without proper sanitization or parameterization.

An attacker could manipulate the ruleIds parameter to inject malicious SQL code. For example, a request like /api/feed/stats?ruleIds='; DROP TABLE rating; -- could potentially execute dangerous SQL commands.

The fix is to use Drizzle ORM's inArray() function instead of raw SQL interpolation: .where(inArray(rating.ruleId, ruleIds)) and .where(inArray(comment.ruleId, ruleIds)). This will properly parameterize the query and prevent SQL injection attacks.