33 lines
1.2 KiB
Markdown
33 lines
1.2 KiB
Markdown
[[!template id=gitbranch branch=smcv/ready/comments author="[[smcv]]"
|
|
browse="http://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/ready/comments"]]
|
|
[[!tag patch users/smcv/ready]]
|
|
|
|
The ability to post comments depends on several factors:
|
|
|
|
* `comments_pagespec` controls whether comments on a particular
|
|
page will be displayed
|
|
* `comments_closed_pagespec` controls whether comments on
|
|
a particular page are allowed
|
|
* the `check_canedit` call controls whether comments are allowed
|
|
for a particular combination of page and user
|
|
|
|
If `check_canedit` says that a user can post a comment
|
|
(in particular, if [[plugins/opendiscussion]] is enabled or
|
|
[[plugins/lockedit]] is disabled or permissive),
|
|
and `comments_closed_pagespec` does not contradict it,
|
|
then users who construct a `do=comment` CGI URL manually
|
|
can post comments that will not be displayed. I don't think
|
|
this is a security flaw as such, which is why I'm not
|
|
reporting it privately, but it violates least-astonishment.
|
|
|
|
My `ready/comments` branch fixes this, by changing the test
|
|
at submission time from (pseudocode)
|
|
|
|
!comments_closed_pagespec && check_canedit
|
|
|
|
to
|
|
|
|
comments_pagespec && !comments_closed_pagespec && check_canedit
|
|
|
|
--[[smcv]]
|