Resolve PR review gaps across comments, security, feeds, and UX

2026-02-28 13:47:21 +00:00
parent 932b05cc02
commit 36ac487cbd
15 changed files with 325 additions and 7 deletions
--- a/apps/comments/tests/test_views.py
+++ b/apps/comments/tests/test_views.py
@@ -1,5 +1,6 @@
 import pytest
 from django.core.cache import cache
+from django.test import override_settings

 from apps.blog.models import ArticleIndexPage, ArticlePage
 from apps.blog.tests.factories import AuthorFactory
@@ -60,3 +61,71 @@ def test_comment_post_rejected_when_comments_disabled(client, home_page):
    )
    assert resp.status_code == 404
    assert Comment.objects.count() == 0
+
+
+@pytest.mark.django_db
+def test_comment_reply_depth_is_enforced(client, home_page):
+    cache.clear()
+    index = ArticleIndexPage(title="Articles", slug="articles")
+    home_page.add_child(instance=index)
+    author = AuthorFactory()
+    article = ArticlePage(title="A", slug="a", author=author, summary="s", body=[("rich_text", "<p>body</p>")])
+    index.add_child(instance=article)
+    article.save_revision().publish()
+
+    parent = Comment.objects.create(
+        article=article,
+        author_name="Parent",
+        author_email="p@example.com",
+        body="Parent",
+        is_approved=True,
+    )
+    child = Comment.objects.create(
+        article=article,
+        parent=parent,
+        author_name="Child",
+        author_email="c@example.com",
+        body="Child",
+        is_approved=True,
+    )
+
+    resp = client.post(
+        "/comments/post/",
+        {
+            "article_id": article.id,
+            "parent_id": child.id,
+            "author_name": "TooDeep",
+            "author_email": "deep@example.com",
+            "body": "Nope",
+            "honeypot": "",
+        },
+    )
+    assert resp.status_code == 302
+    assert Comment.objects.count() == 2
+
+
+@pytest.mark.django_db
+@override_settings(TRUSTED_PROXY_IPS=[])
+def test_comment_uses_remote_addr_when_proxy_untrusted(client, home_page):
+    cache.clear()
+    index = ArticleIndexPage(title="Articles", slug="articles")
+    home_page.add_child(instance=index)
+    author = AuthorFactory()
+    article = ArticlePage(title="A", slug="a", author=author, summary="s", body=[("rich_text", "<p>body</p>")])
+    index.add_child(instance=article)
+    article.save_revision().publish()
+
+    client.post(
+        "/comments/post/",
+        {
+            "article_id": article.id,
+            "author_name": "Test",
+            "author_email": "test@example.com",
+            "body": "Hello",
+            "honeypot": "",
+        },
+        REMOTE_ADDR="10.0.0.1",
+        HTTP_X_FORWARDED_FOR="203.0.113.7",
+    )
+    comment = Comment.objects.get()
+    assert comment.ip_address == "10.0.0.1"
--- a/apps/comments/views.py
+++ b/apps/comments/views.py
@@ -1,7 +1,9 @@
 from __future__ import annotations

+from django.conf import settings
 from django.contrib import messages
 from django.core.cache import cache
+from django.core.exceptions import ValidationError
 from django.http import HttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.views import View
@@ -11,9 +13,18 @@ from apps.comments.forms import CommentForm
 from apps.comments.models import Comment


+def client_ip_from_request(request) -> str:
+    remote_addr = request.META.get("REMOTE_ADDR", "").strip()
+    trusted_proxies = getattr(settings, "TRUSTED_PROXY_IPS", [])
+    x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR", "")
+    if remote_addr in trusted_proxies and x_forwarded_for:
+        return x_forwarded_for.split(",")[0].strip()
+    return remote_addr
+
+
 class CommentCreateView(View):
    def post(self, request):
-        ip = (request.META.get("HTTP_X_FORWARDED_FOR") or request.META.get("REMOTE_ADDR", "")).split(",")[0].strip()
+        ip = client_ip_from_request(request)
        key = f"comment-rate:{ip}"
        count = cache.get(key, 0)
        if count >= 3:
@@ -34,6 +45,11 @@ class CommentCreateView(View):
            if parent_id:
                comment.parent = Comment.objects.filter(pk=parent_id, article=article).first()
            comment.ip_address = ip or None
+            try:
+                comment.full_clean()
+            except ValidationError:
+                messages.error(request, "Reply depth exceeds the allowed limit")
+                return redirect(article.url)
            comment.save()
            messages.success(request, "Your comment is awaiting moderation")
            return redirect(f"{article.url}?commented=1")