Ticket #1614 (closed defect: fixed)

Opened 1 year ago

Last modified 6 months ago

AddComment allows comments to be added by anonymous

Reported by: stava@telcotec.se Assigned to: athomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

We're using the AddComment? macro in appendonly mode at LinAdd?.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless: 

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment

Other than that, thanks for a great macro! /Lars Stavholm

Attachments

Change History

11/23/07 21:47:34 changed by osimons

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

11/23/07 21:53:59 changed by osimons

  • status changed from new to closed.
  • resolution set to fixed.

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

Add/Change #1614 (AddComment allows comments to be added by anonymous)




Change Properties
Action