fix: improved validation in add_comment (#20520)

frappe/core/doctype/comment/test_comment.py

@@ -3,7 +3,10 @@
 import json
 
 import frappe
-from frappe.tests.utils import FrappeTestCase
+from frappe.templates.includes.comments.comments import add_comment
+from frappe.tests.test_model_utils import set_user
+from frappe.tests.utils import FrappeTestCase, change_settings
+from frappe.website.doctype.blog_post.test_blog_post import make_test_blog
 
 
 class TestComment(FrappeTestCase):
@@ -39,14 +42,10 @@ class TestComment(FrappeTestCase):
 
 	# test via blog
 	def test_public_comment(self):
-		from frappe.website.doctype.blog_post.test_blog_post import make_test_blog
-
 		test_blog = make_test_blog()
 
 		frappe.db.delete("Comment", {"reference_doctype": "Blog Post"})
 
-		from frappe.templates.includes.comments.comments import add_comment
-
 		frappe.form_dict.comment = "Good comment with 10 chars"
 		frappe.form_dict.comment_email = "test@test.com"
 		frappe.form_dict.comment_by = "Good Tester"
@@ -102,3 +101,32 @@ class TestComment(FrappeTestCase):
 		)
 
 		test_blog.delete()
+
+	@change_settings("Blog Settings", {"allow_guest_to_comment": 0})
+	def test_guest_cannot_comment(self):
+		test_blog = make_test_blog()
+		with set_user("Guest"):
+			frappe.form_dict.comment = "Good comment with 10 chars"
+			frappe.form_dict.comment_email = "mail@example.org"
+			frappe.form_dict.comment_by = "Good Tester"
+			frappe.form_dict.reference_doctype = "Blog Post"
+			frappe.form_dict.reference_name = test_blog.name
+			frappe.form_dict.route = test_blog.route
+			frappe.local.request_ip = "127.0.0.1"
+
+			self.assertEqual(add_comment(), None)
+
+	def test_user_not_logged_in(self):
+		some_system_user = frappe.db.get_value("User", {})
+
+		test_blog = make_test_blog()
+		with set_user("Guest"):
+			frappe.form_dict.comment = "Good comment with 10 chars"
+			frappe.form_dict.comment_email = some_system_user
+			frappe.form_dict.comment_by = "Good Tester"
+			frappe.form_dict.reference_doctype = "Blog Post"
+			frappe.form_dict.reference_name = test_blog.name
+			frappe.form_dict.route = test_blog.route
+			frappe.local.request_ip = "127.0.0.1"
+
+			self.assertRaises(frappe.ValidationError, add_comment)

frappe/templates/includes/comments/comments.py

@@ -18,10 +18,17 @@ EMAIL_PATTERN = re.compile(r"(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)"
 @frappe.whitelist(allow_guest=True)
 @rate_limit(key="reference_name", limit=get_comment_limit, seconds=60 * 60)
 def add_comment(comment, comment_email, comment_by, reference_doctype, reference_name, route):
-	doc = frappe.get_doc(reference_doctype, reference_name)
+	if frappe.session.user == "Guest":
+		if reference_doctype not in ("Blog Post", "Web Page"):
+			return
 
-	if frappe.session.user == "Guest" and doc.doctype not in ["Blog Post", "Web Page"]:
-		return
+		if reference_doctype == "Blog Post" and not frappe.db.get_single_value(
+			"Blog Settings", "allow_guest_to_comment"
+		):
+			return
+
+		if frappe.db.exists("User", comment_email):
+			frappe.throw(_("Please login to post a comment."))
 
 	if not comment.strip():
 		frappe.msgprint(_("The comment cannot be empty"))
@@ -31,6 +38,7 @@ def add_comment(comment, comment_email, comment_by, reference_doctype, reference
 		frappe.msgprint(_("Comments cannot have links or email addresses"))
 		return False
 
+	doc = frappe.get_doc(reference_doctype, reference_name)
 	comment = doc.add_comment(
 		text=clean_html(comment), comment_email=comment_email, comment_by=comment_by
 	)
@@ -50,9 +58,7 @@ def add_comment(comment, comment_email, comment_by, reference_doctype, reference
 		url, _("View Comment")
 	)
 
-	if doc.doctype == "Blog Post" and not doc.enable_email_notification:
-		pass
-	else:
+	if doc.doctype != "Blog Post" or doc.enable_email_notification:
 		# notify creator
 		creator_email = frappe.db.get_value("User", doc.owner, "email") or doc.owner
 		subject = _("New Comment on {0}: {1}").format(doc.doctype, doc.get_title())