Actual Behavior

It is possible to manipulate or delete existing comments / threads by simply sending post requests to the WebsiteController:
e.g. https://localhost:8000/threads/b69cc46e-9527-48b5-a98d-3a3634c41f05/comments/2

Neither the WebsiteController nor the CommentManager validates the current user with the creator of the comment.

Expected Behavior

Only the creator of the comment should be able to delete or edit the comment.

Steps to Reproduce

1. Create a comment on the website frontend
2. Send post or delete request with threadId and commentId (you can find them in the html code on the frontend)

Expected Behavior

In the thread-form there should be a tab with a list of related comments. From there you should be able to goto the comment-form and back.

Actual Behavior

The tests should run with --prefer-lowest. The problem is that sulu 1.3 is not able to run the tests with lowest.

Actual Behavior

After creating a comment, the thread title is empty

Expected Behavior

Thread title should be filled in with what's passed as a template variable as described in the official docs

Steps to Reproduce

1. Include the comment section in your page template (see docs):

{{ render(path('sulu_comment.get_threads_comments', {
    threadId: 'page-' ~ uuid, 
    referrer: app.request.uri,
    threadTitle: 'This is my thread title', 
    _format: 'html'
})) }}

2. Fill in a comment
3. Send comment
4. Thread title in admin area is empty

Actual Behavior

Should work with latest Sulu bundle and PHP 8

Is there already work being done to make this work with PHP 8 and latest Sulu 2.5?

Actual Behavior

When Comment-form validation fails a 400-http-Response is sent back.

Expected Behavior

Comments form with validation errors is shown.

Steps to Reproduce

Extend Comment entity and CommentForm type and add a property with some constraint (eg. NotBlank).
On submission of empty form the validation fails and a "Bad Request" Response (400) is sent back to the client.

Possible Solutions

Change form-action to referrer and let the form handle the request there?

Actual Behavior

Threads are created without a title.

Expected Behavior

Threads get the title of the page/article they belong to.

Steps to Reproduce

Add comments form to article detail view and submit a comment -> a thread w/o a title is created.

Possible Solutions

Pass the Request-Param $threadTitle = $request->get('threadTitle') as an option to the comments-form when creating it inside \Sulu\Bundle\CommentBundle\Controller\WebsiteCommentController::cgetCommentsAction.
The rest can then be handled by extending the form-type and adding the intended title to the twig-render-call inside the article template.

Actual Behavior

CommentType disable csrf protection by default.

Expected Behavior

CSRF Protection should be enabled by default. But this will change the behaviour of AJAX requests.