#845774 by aaronbauman, sun: Fixed Regression: Anonymous users can post comments in the name of registered users.

2 files changed, 33 insertions, 39 deletions

diff --git a/modules/comment/comment.module b/modules/comment/comment.module
index ce976d139..794ef83c1 100644
--- a/modules/comment/comment.module
+++ b/modules/comment/comment.module
@@ -1880,6 +1880,7 @@ function comment_form($form, &$form_state, $comment) {
       '#type' => 'textfield',
       '#title' => t('Your name'),
       '#default_value' => $author,
+      '#required' => (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT),
       '#maxlength' => 60,
       '#size' => 30,
     );
@@ -1890,6 +1891,7 @@ function comment_form($form, &$form_state, $comment) {
     '#type' => 'textfield',
     '#title' => t('E-mail'),
     '#default_value' => $comment->mail,
+    '#required' => (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT),
     '#maxlength' => 64,
     '#size' => 30,
     '#description' => t('The content of this field is kept private and will not be shown publicly.'),
@@ -1903,11 +1905,6 @@ function comment_form($form, &$form_state, $comment) {
     '#size' => 30,
     '#access' => $is_admin || (!$user->uid && $anonymous_contact != COMMENT_ANONYMOUS_MAYNOT_CONTACT),
   );
-  // Conditionally mark fields as required for anonymous users, if configured.
-  if (!$user->uid && $anonymous_contact == COMMENT_ANONYMOUS_MUST_CONTACT) {
-    $form['author']['name']['#required'] = TRUE;
-    $form['author']['mail']['#required'] = TRUE;
-  }
 
   // Add administrative comment publishing options.
   $form['author']['date'] = array(
@@ -2055,42 +2052,29 @@ function comment_form_validate($form, &$form_state) {
     }
   }
 
-  // Check validity of name, mail and homepage (if given).
-  if (!$user->uid || $form_state['values']['is_anonymous']) {
-    $node = node_load($form_state['values']['nid']);
-    if (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) > COMMENT_ANONYMOUS_MAYNOT_CONTACT) {
-      if ($form_state['values']['name']) {
-        $query = db_select('users', 'u');
-        $query->addField('u', 'uid', 'uid');
-        $taken = $query
-          ->condition('name', db_like($form_state['values']['name']), 'LIKE')
-          ->countQuery()
-          ->execute()
-          ->fetchField();
-        if ($taken != 0) {
-          form_set_error('name', t('The name you used belongs to a registered user.'));
-        }
-      }
-      elseif (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) == COMMENT_ANONYMOUS_MUST_CONTACT) {
-        form_set_error('name', t('You have to leave your name.'));
-      }
-
-      if ($form_state['values']['mail']) {
-        if (!valid_email_address($form_state['values']['mail'])) {
-          form_set_error('mail', t('The e-mail address you specified is not valid.'));
-        }
-      }
-      elseif (variable_get('comment_anonymous_' . $node->type, COMMENT_ANONYMOUS_MAYNOT_CONTACT) == COMMENT_ANONYMOUS_MUST_CONTACT) {
-        form_set_error('mail', t('You have to leave an e-mail address.'));
-      }
-
-      if ($form_state['values']['homepage']) {
-        if (!valid_url($form_state['values']['homepage'], TRUE)) {
-          form_set_error('homepage', t('The URL of your homepage is not valid. Remember that it must be fully qualified, i.e. of the form <code>http://example.com/directory</code>.'));
-        }
+  // Validate anonymous comment author fields (if given).
+  if ($form_state['values']['is_anonymous']) {
+    // If the (original) author of this comment was an anonymous user, verify
+    // that no registered user with this name exists.
+    if ($form_state['values']['name']) {
+      $query = db_select('users', 'u');
+      $query->addField('u', 'uid', 'uid');
+      $taken = $query
+        ->condition('name', db_like($form_state['values']['name']), 'LIKE')
+        ->countQuery()
+        ->execute()
+        ->fetchField();
+      if ($taken) {
+        form_set_error('name', t('The name you used belongs to a registered user.'));
       }
     }
   }
+  if ($form_state['values']['mail'] && !valid_email_address($form_state['values']['mail'])) {
+    form_set_error('mail', t('The e-mail address you specified is not valid.'));
+  }
+  if ($form_state['values']['homepage'] && !valid_url($form_state['values']['homepage'], TRUE)) {
+    form_set_error('homepage', t('The URL of your homepage is not valid. Remember that it must be fully qualified, i.e. of the form <code>http://example.com/directory</code>.'));
+  }
 }
 
 /**
@@ -2110,7 +2094,7 @@ function comment_submit($comment) {
   $comment->created = strtotime($comment->date);
   $comment->changed = REQUEST_TIME;
 
-  if (!empty($comment->name) && ($account = user_load_by_name($comment->name))) {
+  if (!$comment->is_anonymous && !empty($comment->name) && ($account = user_load_by_name($comment->name))) {
     $comment->uid = $account->uid;
   }
 
diff --git a/modules/comment/comment.test b/modules/comment/comment.test
index 54a39bf01..ba28b6ac2 100644
--- a/modules/comment/comment.test
+++ b/modules/comment/comment.test
@@ -521,6 +521,16 @@ class CommentAnonymous extends CommentHelperCase {
     $anonymous_comment2 = $this->postComment($this->node, $this->randomName(), $this->randomName());
     $this->assertTrue($this->commentExists($anonymous_comment2), t('Anonymous comment with contact info (optional) found.'));
 
+    // Ensure anonymous users cannot post in the name of registered users.
+    $edit = array(
+      'name' => $this->admin_user->name,
+      'mail' => $this->randomName() . '@example.com',
+      'subject' => $this->randomName(),
+      'comment_body[' . LANGUAGE_NONE . '][0][value]' => $this->randomName(),
+    );
+    $this->drupalPost('comment/reply/' . $this->node->nid, $edit, t('Save'));
+    $this->assertText(t('The name you used belongs to a registered user.'));
+
     // Require contact info.
     $this->drupalLogin($this->admin_user);
     $this->setCommentAnonymous('2');