Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

#845774 by aaronbauman, sun: Fixed Regression: Anonymous users can post comments in the name of registered users.

merge-requests/26/head
Angie Byron 2010-08-22 10:01:06 +00:00
parent ff836870d8
commit c72614b01e
2 changed files with 33 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
modules/comment/comment.module
View File

@ -1880,6 +1880,7 @@ function comment_form($form, &$form_state, $comment) {
'#type' => 'textfield',
'#title' => t('Your name'),
'#default_value' => $author,
'#required' => (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT),
'#maxlength' => 60,
'#size' => 30,
);
@ -1890,6 +1891,7 @@ function comment_form($form, &$form_state, $comment) {
'#type' => 'textfield',
'#title' => t('E-mail'),
'#default_value' => $comment->mail,
'#required' => (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT),
'#maxlength' => 64,
'#size' => 30,
'#description' => t('The content of this field is kept private and will not be shown publicly.'),
@ -1903,11 +1905,6 @@ function comment_form($form, &$form_state, $comment) {
'#size' => 30,
'#access' => $is_admin || (!$user->uid && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT),
);
// Conditionally mark fields as required for anonymous users, if configured.
if (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT) {
$form['author']['name']['#required'] = TRUE;
$form['author']['mail']['#required'] = TRUE;
}
// Add administrative comment publishing options.
$form['author']['date'] = array(
@ -2055,42 +2052,29 @@ function comment_form_validate($form, &$form_state) {
}
}
// Check validity of name, mail and homepage (if given).
if (!$user->uid || $form_state['values']['is_anonymous']) {
$node = node_load($form_state['values']['nid']);
if (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) {
if ($form_state['values']['name']) {
$query = db_select('users', 'u');
$query->addField('u', 'uid', 'uid');
$taken = $query
->condition('name', db_like($form_state['values']['name']), 'LIKE')
->countQuery()
->execute()
->fetchField();
if ($taken != 0) {
form_set_error('name', t('The name you used belongs to a registered user.'));
}
}
elseif (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) == COMMENT_ANONYMOUS_MUST_CONTACT) {
form_set_error('name', t('You have to leave your name.'));
}
if ($form_state['values']['mail']) {
if (!valid_email_address($form_state['values']['mail'])) {
form_set_error('mail', t('The e-mail address you specified is not valid.'));
}
}
elseif (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) == COMMENT_ANONYMOUS_MUST_CONTACT) {
form_set_error('mail', t('You have to leave an e-mail address.'));
}
if ($form_state['values']['homepage']) {
if (!valid_url($form_state['values']['homepage'], TRUE)) {
form_set_error('homepage', t('The URL of your homepage is not valid. Remember that it must be fully qualified, i.e. of the form <code>http://example.com/directory</code>.'));
}
// Validate anonymous comment author fields (if given).
if ($form_state['values']['is_anonymous']) {
// If the (original) author of this comment was an anonymous user, verify
// that no registered user with this name exists.
if ($form_state['values']['name']) {
$query = db_select('users', 'u');
$query->addField('u', 'uid', 'uid');
$taken = $query
->condition('name', db_like($form_state['values']['name']), 'LIKE')
->countQuery()
->execute()
->fetchField();
if ($taken) {
form_set_error('name', t('The name you used belongs to a registered user.'));
}
}
}
if ($form_state['values']['mail'] && !valid_email_address($form_state['values']['mail'])) {
form_set_error('mail', t('The e-mail address you specified is not valid.'));
}
if ($form_state['values']['homepage'] && !valid_url($form_state['values']['homepage'], TRUE)) {
form_set_error('homepage', t('The URL of your homepage is not valid. Remember that it must be fully qualified, i.e. of the form <code>http://example.com/directory</code>.'));
}
}
/**
@ -2110,7 +2094,7 @@ function comment_submit($comment) {
$comment->created = strtotime($comment->date);
$comment->changed = REQUEST_TIME;
if (!empty($comment->name) && ($account = user_load_by_name($comment->name))) {
if (!$comment->is_anonymous && !empty($comment->name) && ($account = user_load_by_name($comment->name))) {
$comment->uid = $account->uid;
}

10
modules/comment/comment.test
View File

@ -521,6 +521,16 @@ class CommentAnonymous extends CommentHelperCase {
$anonymous_comment2 = $this->postComment($this->node, $this->randomName(), $this->randomName());
$this->assertTrue($this->commentExists($anonymous_comment2), t('Anonymous comment with contact info (optional) found.'));
// Ensure anonymous users cannot post in the name of registered users.
$edit = array(
'name' => $this->admin_user->name,
'mail' => $this->randomName() . '@example.com',
'subject' => $this->randomName(),
'comment_body[' . LANGUAGE_NONE . '][0][value]' => $this->randomName(),
);
$this->drupalPost('comment/reply/' . $this->node->nid, $edit, t('Save'));
$this->assertText(t('The name you used belongs to a registered user.'));
// Require contact info.
$this->drupalLogin($this->admin_user);
$this->setCommentAnonymous('2');