Modify

Opened 11 years ago

Closed 10 years ago

Last modified 6 years ago

#1614 closed defect (fixed)

AddComment allows comments to be added by anonymous

Reported by: stava@… Owned by: Alec Thomas
Priority: normal Component: AddCommentMacro
Severity: normal Keywords:
Cc: Trac Release: 0.10

Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment

Other than that, thanks for a great macro! /Lars Stavholm

Attachments (0)

Change History (2)

comment:1 Changed 10 years ago by Odd Simon Simonsen

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

comment:2 Changed 10 years ago by Odd Simon Simonsen

Resolution: fixed
Status: newclosed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.