Modify

Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#1614 closed defect (fixed)

AddComment allows comments to be added by anonymous

Reported by: stava@… Owned by: athomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment

Other than that, thanks for a great macro!
/Lars Stavholm

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by osimons

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

comment:2 Changed 7 years ago by osimons

  • Resolution set to fixed
  • Status changed from new to closed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from athomas. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.