Opened 10 years ago

Closed 9 years ago

Last modified 6 years ago

# AddComment allows comments to be added by anonymous

Reported by: Owned by: stava@… Alec Thomas normal AddCommentMacro normal 0.10

### Description

We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:

http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment


Other than that, thanks for a great macro! /Lars Stavholm

### comment:1 Changed 9 years ago by Odd Simon Simonsen

(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.

References #1614

### comment:2 Changed 9 years ago by Odd Simon Simonsen

Resolution: → fixed new → closed

The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.

About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.

The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.

Closing.

### Modify Ticket

Action
as closed The owner will remain Alec Thomas.
The resolution will be deleted. Next status will be 'reopened'.

### Add Comment

Note: See TracTickets for help on using tickets.