Opened 10 years ago

Closed 10 years ago

## #1614 closed defect (fixed)

Reported by: Owned by: stava@… Alec Thomas normal AddCommentMacro normal 0.10

### Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment


Other than that, thanks for a great macro! /Lars Stavholm

References #1614

### comment:2 Changed 10 years ago by Odd Simon Simonsen

Resolution: → fixed new → closed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

### Modify Ticket

Change Properties