#1614 closed defect (fixed)
AddComment allows comments to be added by anonymous
| Reported by: | Owned by: | Alec Thomas | |
|---|---|---|---|
| Priority: | normal | Component: | AddCommentMacro |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 0.10 |
Description
We're using the AddComment macro in appendonly mode at LinAdd.org and we've noticed a surge in spam comments, so we turned off the appendonly option, thus (as we thought) requiring a user to be logged in to be able to post a comment. However, the following URL will post a comment regardless:
http://domain.tld/wiki/WikiStart?authoraddcomment=ErnestH&submitaddcomment=Add&previewaddcomment=Preview&canceladdcomment=Cancel&addcomment=TheActualComment
Other than that, thanks for a great macro! /Lars Stavholm
Attachments (0)
Change History (2)
comment:1 Changed 17 years ago by
comment:2 Changed 17 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
The [2818] changeset adds the regular form_token to the form, making it a bit harder to automate spam entry and similar.
About permissions in general, if anonymous has WIKI_VIEW then appendonly will let them add comments. Makes sense, and it should be a easier to read that in the code now.
The fix is working for 0.11, but I don't expect that it will be fixed for older versions now.
Closing.
(In [2818]) AddCommentMacro: Adding form_token and more readable permissions in code.
References #1614