Context Navigation

Modify ↓

#1614 closed defect (fixed)

AddComment allows comments to be added by anonymous

Reported by:	stava@…	Owned by:	Alec Thomas
Priority:	normal	Component:	AddCommentMacro
Severity:	normal	Keywords:
Cc:		Trac Release:	0.10

Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment

Other than that, thanks for a great macro! /Lars Stavholm

Attachments (0)

Change History (2)

comment:1 Changed 16 years ago by osimons

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

comment:2 Changed 16 years ago by osimons

Resolution:	→ fixed
Status:	new → closed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Alec Thomas.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: