fix: createComment Mutation not checking for name and email

src/Mutation/CommentCreate.php

@@ -39,11 +39,11 @@ public static function get_input_fields() {
 			],
 			'author'      => [
 				'type'        => 'String',
-				'description' => __( 'The name of the comment\'s author.', 'wp-graphql' ),
+				'description' => __( 'The name of the comment\'s author. This may be required based on the setting in [Settings] -> [Discussion]. ', 'wp-graphql' ),
 			],
 			'authorEmail' => [
 				'type'        => 'String',
-				'description' => __( 'The email of the comment\'s author.', 'wp-graphql' ),
+				'description' => __( 'The email of the comment\'s author. This may be required based on the setting in [Settings] -> [Discussion].', 'wp-graphql' ),
 			],
 			'authorUrl'   => [
 				'type'        => 'String',
@@ -142,8 +142,17 @@ public static function mutate_and_get_payload() {
 				throw new UserError( esc_html__( 'Sorry, this post is closed to comments at the moment', 'wp-graphql' ) );
 			}
 
-			if ( '1' === get_option( 'comment_registration' ) && ! is_user_logged_in() ) {
-				throw new UserError( esc_html__( 'This site requires you to be logged in to leave a comment', 'wp-graphql' ) );
+			// If the user is not log in, the behavior can vary depending on the site settings.
+			if ( ! is_user_logged_in() ) {
+				// Throw if the site requires a logged in user to comment.
+				if ( '1' === get_option( 'comment_registration' ) ) {
+					throw new UserError( esc_html__( 'This site requires you to be logged in to leave a comment', 'wp-graphql' ) );
+				}
+
+				// Throw is the site requires a name and email to comment.
+				if ( '1' === get_option( 'require_name_email' ) && ( empty( $input['author'] ) || empty( $input['authorEmail'] ) ) ) {
+					throw new UserError( esc_html__( 'This site requires you to provide a name and email address leave a comment', 'wp-graphql' ) );
+				}
 			}
 
 			/**

tests/wpunit/CommentMutationsTest.php

@@ -43,6 +43,8 @@ public function tearDown(): void {
 	}
 
 	public function createComment( &$post_id, &$comment_id, $postCreator, $commentCreator ) {
+		$old_user_id = get_current_user_id();
+
 		wp_set_current_user( $postCreator );
 		$post_args = [
 			'post_type'    => 'post',
@@ -70,6 +72,9 @@ public function createComment( &$post_id, &$comment_id, $postCreator, $commentCr
 		 * Create a comment to test against
 		 */
 		$comment_id = $this->factory()->comment->create( $comment_args );
+
+		// Restore the user
+		wp_set_current_user( $old_user_id );
 	}
 
 	public function trashComment( &$comment_id ) {
@@ -130,17 +135,27 @@ public function testCreateComment() {
 		}
 		';
 
-		$expected_content = apply_filters( 'comment_text', $this->content );
 
-		// test with logged in user
+		// Test with logged out user and registration required.
+		update_option( "comment_registration", "1" );
+
 		$variables = [
 			'commentOn' => $post_id,
 			'content'   => $this->content,
 			'author'    => null,
 			'email'     => null,
 		];
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+		$this->assertEquals( 'This site requires you to be logged in to leave a comment', $actual['errors'][0]['message'] );
+
+		// test with logged in user
 		wp_set_current_user( $this->admin );
 
+		$expected_content = apply_filters( 'comment_text', $this->content );
+
 		$actual = $this->graphql( compact( 'query', 'variables' ) );
 
 		$this->assertArrayNotHasKey( 'errors', $actual );
@@ -185,8 +200,91 @@ public function testCreateComment() {
 		$this->assertArrayNotHasKey( 'errors', $actual );
 		$this->assertTrue( $actual['data']['createComment']['success'] );
 		$this->assertEquals( $this->subscriber, $actual['data']['createComment']['comment']['author']['node']['databaseId'] );
+
+		// Cleanup option.
+		delete_option( "comment_registration" );
 	}
 
+	public function testCreateCommentAsUnauthenticated(): void {
+		add_filter( 'duplicate_comment_id', '__return_false' );
+		add_filter( 'comment_flood_filter', '__return_false' );
+
+		$args = [
+			'post_type'    => 'post',
+			'post_status'  => 'publish',
+			'post_title'   => 'Original Title for testCreateCommentAsUnauthenticated',
+			'post_content' => 'Original Content',
+		];
+
+		/**
+		 * Create a page to test against
+		 */
+		$post_id = $this->factory()->post->create( $args );
+
+		$new_post = $this->factory()->post->get_object_by_id( $post_id );
+
+		$query = '
+		mutation createUnauthenticatedCommentTest( $commentOn:Int!, $author:String, $email: String, $content:String! ){
+			createComment(
+				input: {
+					commentOn: $commentOn
+					content: $content
+					author: $author
+					authorEmail: $email
+				}
+			)
+			{
+				success
+				comment {
+					databaseId
+					status
+				}
+			}
+		}
+		';
+
+		// Test with no author or email.
+		$variables = [
+			'commentOn' => $post_id,
+			'content'   => $this->content,
+			'author'    => null,
+			'email'     => null,
+		];
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+		$this->assertEquals( 'This site requires you to provide a name and email address leave a comment', $actual['errors'][0]['message'] );
+
+		// Test with just an email.
+		$variables['email'] = 'sometest@forCommentMutations.test';
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+		$this->assertEquals( 'This site requires you to provide a name and email address leave a comment', $actual['errors'][0]['message'] );
+
+		// Test with both author and email.
+		$variables['author'] = 'Comment Author';
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayNotHasKey( 'errors', $actual );
+		$this->assertTrue( $actual['data']['createComment']['success'] );
+
+		// Comment is null because it hasn't been 'approved'.
+		$this->assertNull( $actual['data']['createComment']['comment'] );
+
+		// Test when email and author arent required.
+		update_option( 'require_name_email', '0' );
+
+		$variables['email']  = null;
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayNotHasKey( 'errors', $actual );
+		$this->assertTrue( $actual['data']['createComment']['success'] );
+	}
 
 	public function testCreateChildComment() {
 		// Create parent comment.
@@ -253,7 +351,7 @@ public function testUpdateCommentWithAuthorConnection() {
 
 		$new_comment = $this->factory()->comment->get_object_by_id( $comment_id );
 
-		$this->assertEquals( $new_comment->user_id, get_current_user_id() );
+		$this->assertEquals( $new_comment->user_id, $this->subscriber );
 		$this->assertEquals( $new_comment->comment_post_ID, $post_id );
 		$this->assertEquals( $new_comment->comment_content, 'Comment Content' );
 
@@ -293,7 +391,17 @@ public function testUpdateCommentWithAuthorConnection() {
 			'content' => $content,
 		];
 
+		// Test without permissions.
 		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+		$this->assertEquals( 'Sorry, you are not allowed to update this comment.', $actual['errors'][0]['message'] );
+
+		// Test with permissions
+		wp_set_current_user( $this->subscriber );
+
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
 		$this->assertArrayNotHasKey( 'errors', $actual );
 		$this->assertEquals( $expected, $actual['data'] );
 
@@ -381,7 +489,7 @@ public function testDeleteCommentWithPostConnection() {
 
 		$new_comment = $this->factory()->comment->get_object_by_id( $comment_id );
 		$content     = 'Comment Content';
-		$this->assertEquals( $new_comment->user_id, get_current_user_id() );
+		$this->assertEquals( $new_comment->user_id, $this->subscriber );
 		$this->assertEquals( $new_comment->comment_post_ID, $post_id );
 		$this->assertEquals( $new_comment->comment_content, $content );
 
@@ -408,6 +516,15 @@ public function testDeleteCommentWithPostConnection() {
 			'id' => $comment_id,
 		];
 
+		// Test unauthenticated.
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+		$this->assertEquals( 'Sorry, you are not allowed to delete this comment.', $actual['errors'][0]['message'] );
+
+		// Test as authenticated.
+		wp_set_current_user( $this->subscriber );
+
 		$actual = $this->graphql( compact( 'query', 'variables' ) );
 
 		$expected = [
@@ -437,6 +554,8 @@ public function testDeleteCommentWithPostConnection() {
 			],
 		];
 
+		wp_set_current_user( $this->subscriber );
+
 		$actual = $this->graphql( compact( 'query', 'variables' ) );
 		codecept_debug( $actual );
 		$this->assertEquals( $expected, $actual['data'] );
@@ -453,7 +572,7 @@ public function testRestoreComment() {
 
 		$new_comment = $this->factory()->comment->get_object_by_id( $comment_id );
 		$content     = 'Comment Content';
-		$this->assertEquals( $new_comment->user_id, get_current_user_id() );
+		$this->assertEquals( $new_comment->user_id, $this->subscriber );
 		$this->assertEquals( $new_comment->comment_post_ID, $post_id );
 		$this->assertEquals( $new_comment->comment_content, $content );
 
@@ -494,10 +613,15 @@ public function testRestoreComment() {
 		];
 
 		// Test without permissions
-		wp_set_current_user( 0 );
 		$actual = $this->graphql( compact( 'query', 'variables' ) );
 		$this->assertArrayHasKey( 'errors', $actual );
 
+		// Test as subscriber
+		wp_set_current_user( $this->subscriber );
+		$actual = $this->graphql( compact( 'query', 'variables' ) );
+
+		$this->assertArrayHasKey( 'errors', $actual );
+
 		// Test with permissions
 		wp_set_current_user( $this->admin );