blob: 83d662cbf59a117b7fff0586102dc2f574e4697d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
[[!template id=gitbranch branch=smcv/ready/comments author="[[smcv]]"
browse="http://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/ready/comments"]]
[[!tag patch users/smcv/ready]]
The ability to post comments depends on several factors:
* `comments_pagespec` controls whether comments on a particular
page will be displayed
* `comments_closed_pagespec` controls whether comments on
a particular page are allowed
* the `check_canedit` call controls whether comments are allowed
for a particular combination of page and user
If `check_canedit` says that a user can post a comment
(in particular, if [[plugins/opendiscussion]] is enabled or
[[plugins/lockedit]] is disabled or permissive),
and `comments_closed_pagespec` does not contradict it,
then users who construct a `do=comment` CGI URL manually
can post comments that will not be displayed. I don't think
this is a security flaw as such, which is why I'm not
reporting it privately, but it violates least-astonishment.
My `ready/comments` branch fixes this, by changing the test
at submission time from (pseudocode)
!comments_closed_pagespec && check_canedit
to
comments_pagespec && !comments_closed_pagespec && check_canedit
--[[smcv]]
> [[merged|done]] --[[smcv]]
|