urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ikiwiki/doc/plugins/contrib/comments.mdwn

88 lines
4.2 KiB
Markdown
Raw Blame History

[[!template id=plugin name=comments author="[[Simon_McVittie|smcv]]"]]
[[!tag type/useful]]
This plugin adds "blog-style" comments. The intention is that on a non-wiki site
(like a blog) you can lock all pages for admin-only access, then allow otherwise
unprivileged (or perhaps even anonymous) users to comment on posts.
When using this plugin, you should also enable [[htmlscrubber]] and either [[htmltidy]]
or [[htmlbalance]]. Directives are filtered out by default, to avoid commenters slowing
down the wiki by causing time-consuming processing. As long as the recommended plugins
are enabled, comment authorship should hopefully be unforgeable by CGI users.
> I'm not sure that raw html should be a problem, as long as the
> htmlsanitizer and htmlbalanced plugins are enabled. I can see filtering
> out directives, as a special case. --[[Joey]]
>> Right, if I sanitize each post individually, with htmlscrubber and either htmltidy
>> or htmlbalance turned on, then there should be no way the user can forge a comment;
>> I was initially wary of allowing meta directives, but I think those are OK, as long
>> as the comment template puts the \[[!meta author]] at the *end*. Disallowing
>> directives is more a way to avoid commenters causing expensive processing than
>> anything else, at this point.
>>
>> I've rebased the plugin on master, made it sanitize individual posts' content
>> and removed the option to disallow raw HTML. Sanitizing individual posts before
>> they've been htmlized required me to preserve whitespace in the htmlbalance
>> plugin, so I did that. Alternatively, we could htmlize immediately and always
>> save out raw HTML? --[[smcv]]
>> There might be some use cases for other directives, such as img, in
>> comments.
>>
>> I don't know if meta is "safe" (ie, guaranteed to be inexpensive and not
>> allow users to do annoying things) or if it will continue to be in the
>> future. Hard to predict really, all that can be said with certainty is
>> all directives will contine to be inexpensive and safe enough that it's
>> sensible to allow users to (ab)use them on open wikis.
>> --[[Joey]]
The plugin adds a new [[ikiwiki/PageSpec]] match type, `postcomment`, for use
with `anonok_pagespec` from the [[plugins/anonok]] plugin or `locked_pages` from
the [[plugins/lockedit]] plugin. Typical usage would be something like:
locked_pages => "!postcomment(*)"
to allow non-admin users to comment on pages, but not edit anything. You can also do
anonok_pages => "postcomment(*)"
to allow anonymous comments (the IP address will be used as the "author").
There are some global options for the setup file:
* `comments_shown_pagespec`: pages where comments will be displayed inline, e.g. `blog/*`
or `*/discussion`.
* `comments_open_pagespec`: pages where new comments can be posted, e.g.
`blog/* and created_after(close_old_comments)` or `*/discussion`
* `comments_pagename`: if this is e.g. `comment_` (the default), then comments on the
[[sandbox]] will be called something like `sandbox/comment_12`
* `comments_allowdirectives`: if true (default false), comments may contain IkiWiki
directives
* `comments_commit`: if true (default true), comments will be committed to the version
control system
This plugin aims to close the [[todo]] item "[[todo/supporting_comments_via_disussion_pages]]",
and is currently available from [[smcv]]'s git repository on git.pseudorandom.co.uk (it's the
`postcomment` branch). A demo wiki with the plugin enabled is running at
<http://www.pseudorandom.co.uk/2008/ikiwiki/demo/>.
Known issues:
* Needs code review
* The access control via postcomment() is rather strange
* There is some common code cargo-culted from other plugins (notably inline and editpage) which
should probably be shared
> I haven't done a detailed code review, but I will say I'm pleased you
> avoided re-implementing inline! --[[Joey]]
Wishlist:
* tbm would like anonymous people to be able to enter their name and possibly email
address
* smcv would like an indication of who you're posting as / the ability to log in
as someone else (even if anonymous comments are allowed, it'd be nice to be
able to choose to log in with a username or OpenID, like in Livejournal);
perhaps editpage needs this too
Reference in New Issue View Git Blame Copy Permalink