fix: nav/footer wireframe, honeypot CSP, explore topics, comment E2E coverage

- Replace nav inline newsletter form with Subscribe CTA link per wireframe
- Remove newsletter form from footer; add Connect section with social/RSS links
- Fix honeypot inputs using hidden attribute (inline style blocked by CSP)
- Add available_tags to HomePage.get_context for Explore Topics section
- Add data-comment-form attribute to main comment form for reliable locating
- Seed approved comment in E2E content for reply flow testing
- Expand test_comments.py: moderation message, not-immediately-visible,
  missing fields, reply form visible, reply submission
- Make COMMENT_RATE_LIMIT_PER_MINUTE configurable; set 100 in dev to prevent
  E2E test exhaustion; update rate limit unit test with override_settings
- Update newsletter/home E2E tests to reflect nav form removal
- Update unit test to assert no nav/footer newsletter forms

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

e2e/test_comments.py

@@ -12,39 +12,87 @@ def _go_to_article(page: Page, base_url: str) -> None:
     page.goto(f"{base_url}/articles/{ARTICLE_SLUG}/", wait_until="networkidle")
 
 
-@pytest.mark.e2e
-def test_valid_comment_submission_redirects(page: Page, base_url: str) -> None:
-    _go_to_article(page, base_url)
-
-    # Fill the main comment form (not a reply form)
-    form = page.locator("form[action]").filter(has=page.get_by_role("button", name="Post comment"))
-    form.locator('input[name="author_name"]').fill("E2E Tester")
-    form.locator('input[name="author_email"]').fill("e2e@example.com")
-    form.locator('textarea[name="body"]').fill("This is a test comment from Playwright.")
+def _submit_comment(page: Page, *, name: str = "E2E Tester", email: str = "e2e@example.com", body: str) -> None:
+    """Fill and submit the main (non-reply) comment form."""
+    form = page.locator("form[data-comment-form]")
+    form.locator('input[name="author_name"]').fill(name)
+    form.locator('input[name="author_email"]').fill(email)
+    form.locator('textarea[name="body"]').fill(body)
     form.get_by_role("button", name="Post comment").click()
 
-    # Successful submission redirects back to the article with ?commented=1
+
+@pytest.mark.e2e
+def test_valid_comment_shows_moderation_message(page: Page, base_url: str) -> None:
+    """Successful comment submission must show the awaiting-moderation banner."""
+    _go_to_article(page, base_url)
+    _submit_comment(page, body="This is a test comment from Playwright.")
+
     page.wait_for_url(lambda url: "commented=1" in url, timeout=10_000)
-    assert "commented=1" in page.url
+    expect(page.get_by_text("Your comment is awaiting moderation")).to_be_visible()
+
+
+@pytest.mark.e2e
+def test_valid_comment_not_immediately_visible(page: Page, base_url: str) -> None:
+    """Submitted comment must NOT appear in the comments list before moderation."""
+    _go_to_article(page, base_url)
+    unique_body = "Unique unmoderated comment body xq7z"
+    _submit_comment(page, body=unique_body)
+
+    page.wait_for_url(lambda url: "commented=1" in url, timeout=10_000)
+    expect(page.get_by_text(unique_body)).not_to_be_visible()
 
 
 @pytest.mark.e2e
 def test_empty_body_shows_form_errors(page: Page, base_url: str) -> None:
     _go_to_article(page, base_url)
+    _submit_comment(page, body="   ")  # whitespace-only body
+    page.wait_for_load_state("networkidle")
 
-    form = page.locator("form[action]").filter(has=page.get_by_role("button", name="Post comment"))
-    form.locator('input[name="author_name"]').fill("E2E Tester")
+    expect(page.locator('[aria-label="Comment form errors"]')).to_be_visible()
+    assert "commented=1" not in page.url
+
+
+@pytest.mark.e2e
+def test_missing_name_shows_form_errors(page: Page, base_url: str) -> None:
+    _go_to_article(page, base_url)
+
+    form = page.locator("form[data-comment-form]")
+    form.locator('input[name="author_name"]').fill("")
     form.locator('input[name="author_email"]').fill("e2e@example.com")
-    form.locator('textarea[name="body"]').fill("   ")  # whitespace-only body
+    form.locator('textarea[name="body"]').fill("Comment without a name.")
     form.get_by_role("button", name="Post comment").click()
     page.wait_for_load_state("networkidle")
 
-    # The page re-renders with the error summary visible
-    expect(page.locator('[aria-label="Comment form errors"]')).to_be_visible()
-    # URL must NOT have ?commented=1 — form was not accepted
     assert "commented=1" not in page.url
 
 
+@pytest.mark.e2e
+def test_reply_form_visible_on_approved_comment(page: Page, base_url: str) -> None:
+    """An approved seeded comment must display a reply form."""
+    _go_to_article(page, base_url)
+
+    # The seeded approved comment should be visible
+    expect(page.get_by_text("E2E Approved Commenter")).to_be_visible()
+    # And a Reply button for it
+    expect(page.get_by_role("button", name="Reply")).to_be_visible()
+
+
+@pytest.mark.e2e
+def test_reply_submission_redirects(page: Page, base_url: str) -> None:
+    """Submitting a reply to an approved comment should redirect with commented=1."""
+    _go_to_article(page, base_url)
+
+    # The reply form is always visible below the approved seeded comment
+    reply_form = page.locator("form[action]").filter(has=page.get_by_role("button", name="Reply")).first
+    reply_form.locator('input[name="author_name"]').fill("E2E Replier")
+    reply_form.locator('input[name="author_email"]').fill("replier@example.com")
+    reply_form.locator('textarea[name="body"]').fill("This is a test reply.")
+    reply_form.get_by_role("button", name="Reply").click()
+
+    page.wait_for_url(lambda url: "commented=1" in url, timeout=10_000)
+    expect(page.get_by_text("Your comment is awaiting moderation")).to_be_visible()
+
+
 @pytest.mark.e2e
 def test_comments_section_absent_when_disabled(page: Page, base_url: str) -> None:
     """Article with comments_enabled=False must not show the comments section."""
@@ -52,8 +100,7 @@ def test_comments_section_absent_when_disabled(page: Page, base_url: str) -> Non
     assert response is not None and response.status == 200, (
         f"Expected 200 for e2e-no-comments article, got {response and response.status}"
     )
-    # Confirm we're on the right page
     expect(page.get_by_role("heading", level=1)).to_have_text("No Comments Article")
-    # Comments section must be absent — exact=True prevents matching "No Comments Article" h1
     expect(page.get_by_role("heading", name="Comments", exact=True)).to_have_count(0)
     expect(page.get_by_role("button", name="Post comment")).to_have_count(0)
+

e2e/test_home.py

@@ -37,12 +37,11 @@ def test_theme_toggle_adds_dark_class(page: Page, base_url: str) -> None:
 
 
 @pytest.mark.e2e
-def test_newsletter_form_in_nav(page: Page, base_url: str) -> None:
+def test_nav_subscribe_cta_present(page: Page, base_url: str) -> None:
     page.goto(f"{base_url}/", wait_until="networkidle")
-    # The nav contains a newsletter form with an email input
     nav = page.locator("nav")
-    expect(nav.locator('input[type="email"]')).to_be_visible()
-    expect(nav.get_by_role("button", name="Subscribe")).to_be_visible()
+    # Nav has a Subscribe CTA link (not a form — wireframe spec)
+    expect(nav.get_by_role("link", name="Subscribe")).to_be_visible()
 
 
 @pytest.mark.e2e

e2e/test_newsletter.py

@@ -7,7 +7,8 @@ from playwright.sync_api import Page, expect
 
 
 def _nav_newsletter_form(page: Page):
-    return page.locator("nav").locator("form[data-newsletter-form]")
+    """Return the newsletter form in the home page sidebar aside."""
+    return page.locator("aside").locator("form[data-newsletter-form]").first
 
 
 @pytest.mark.e2e
@@ -28,7 +29,7 @@ def test_subscribe_invalid_email_shows_error(page: Page, base_url: str) -> None:
     form = _nav_newsletter_form(page)
     # Disable the browser's native HTML5 email validation so the JS handler
     # fires and sends the bad value to the server (which returns 400).
-    page.evaluate("document.querySelector('nav form[data-newsletter-form]').setAttribute('novalidate', '')")
+    page.evaluate("document.querySelector('aside form[data-newsletter-form]').setAttribute('novalidate', '')")
     form.locator('input[type="email"]').fill("not-an-email")
     form.get_by_role("button", name="Subscribe").click()