diff options
-rw-r--r-- | doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn b/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn new file mode 100644 index 000000000..488fa0066 --- /dev/null +++ b/doc/bugs/possible_to_post_comments_that_will_not_be_displayed.mdwn @@ -0,0 +1,32 @@ +[[!template id=gitbranch branch=smcv/ready/comments author="[[smcv]]" +browse="http://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/ready/comments"]] +[[!tag patch]] + +The ability to post comments depends on several factors: + +* `comments_pagespec` controls whether comments on a particular + page will be displayed +* `comments_closed_pagespec` controls whether comments on + a particular page are allowed +* the `check_canedit` call controls whether comments are allowed + for a particular combination of page and user + +If `check_canedit` says that a user can post a comment +(in particular, if [[plugins/opendiscussion]] is enabled or +[[plugins/lockedit]] is disabled or permissive), +and `comments_closed_pagespec` does not contradict it, +then users who construct a `do=comment` CGI URL manually +can post comments that will not be displayed. I don't think +this is a security flaw as such, which is why I'm not +reporting it privately, but it violates least-astonishment. + +My `ready/comments` branch fixes this, by changing the test +at submission time from (pseudocode) + + !comments_closed_pagespec && check_canedit + +to + + comments_pagespec && !comments_closed_pagespec && check_canedit + +--[[smcv]] |