Modify

Opened 7 years ago

Closed 7 years ago

Last modified 3 years ago

#1614 closed defect (fixed)

AddComment allows comments to be added by anonymous

Reported by: stava@… Owned by: athomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment

Other than that, thanks for a great macro!
/Lars Stavholm

Attachments (0)

Change History (2)

comment:1 Changed 7 years ago by osimons

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

comment:2 Changed 7 years ago by osimons

  • Resolution set to fixed
  • Status changed from new to closed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.