Guest users are able to add and view comments after removing comments from whitelist

[PrajwolAmatya]

Steps to reproduce

1. set the guests whitelist so that comments is not in the whitelist
2. user Alice creates and shares a file textfile.txt
3. guest user [email protected] registers

Now use curl command

 curl -u [email protected]:<password> \                                                     
  -X POST \
  -H "Content-Type: application/json" \
  --data-binary '{"message":"this is my message","actorType":"users","verb":"comment"}' \
  "http://localhost/core/remote.php/dav/comments/files/<fileId>" -v

Expected behaviour

Guest user should not be able to add, view and delete comments on a shared resource

Expected response: 403 Forbidden

Actual behaviour

Guest user is able to add, view and delete comments on a shared resource

Actual Response

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user '[email protected]'
> POST /core/remote.php/dav/comments/files/2147488942 HTTP/1.1
> Host: localhost
> Authorization: Basic dGVzdEBleGFtcGxlLmNvbTp0ZXN0
> User-Agent: curl/7.81.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 69
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Tue, 28 Feb 2023 11:37:18 GMT
< Server: Apache/2.4.52 (Ubuntu)
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: oc5p8n2d2r60=k6q1sr2upkv8nhm90783g4ah0j; path=/core; HttpOnly; SameSite=Strict
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=eg%2FT%2FC3BrqUKWNLZYI4ZVqG1N68DO0kWmecEwJ%2BUichvczPD8OhUW97Lc4d2thY72bxApWwe4IfCshInkijB2oO3syF0qC6zr9DIgcpEthnOcdFAYmK7n6aC6FmWkHPB; expires=Tue, 28-Feb-2023 11:57:18 GMT; Max-Age=1200; path=/core; HttpOnly; SameSite=Strict
< Content-Security-Policy: default-src 'none';
< Set-Cookie: oc5p8n2d2r60=i4jonr9k9nok3qrugbqj38o7ak; path=/core; HttpOnly; SameSite=Strict
< Set-Cookie: cookie_test=test; expires=Tue, 28-Feb-2023 12:37:18 GMT; Max-Age=3600
< Content-Location: /core/remote.php/dav/comments/files/2147488942/78
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< 
* Connection #0 to host localhost left intact

[SwikritiT]

TODO QA Team

• write a bug demonstration test to cover this [tests-only][full-ci] added bug demo for removing comments app from whitelist for guest users #558