Opened 12 months ago
Last modified 7 months ago
#20846 new defect (bug)
Multisite: Network Users can post comments without being members of the site
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Awaiting Review |
| Component: | Multisite | Version: | 3.0 |
| Severity: | normal | Keywords: | has-patch ux-feedback |
| Cc: | xoodrew@…, marty@… |
Description
This is probably an 'ever since inception' issue and I can replicate it on 3.4
Setup:
Have a user added to your network but not to a site (domain.com/test).
Set up domain.com/test to only allow registered users to comment. Remember, we've not added this new user to the site, just the network.
Log in as that user and go to domain.com/test
Oh look! You can comment as a 'registered' user.
This should be check for 'Is this a user and, if multisite, is this user a member of the site?'
It's that or the wording needs to be clearer that anyone registered on the network can comment.
Attachments (2)
Change History (11)
SergeyBiryukov — 12 months ago
SergeyBiryukov — 12 months ago
This is how MU functioned. I dunno. You're logged in. It'll say you're logged in (assuming you have cookies issued). This is often going to be expected behavior. Sounds like a filter, at most, to me.
comment:3
SergeyBiryukov — 12 months ago
- Keywords has-patch added; needs-patch removed
20846.2.patch is an attempt to take care of XML-RPC comments as well. Also combines two strings with the same meaning.
Is there actually a way for an end user to join a network site if already registered on the network? If not, seems like that would need changing first, or else this would become extremely frustrating. "Register to comment! Oh no wait, you can't sign up, your email address is already in use."
Replying to nacin:
This is how MU functioned. I dunno. You're logged in. It'll say you're logged in (assuming you have cookies issued). This is often going to be expected behavior. Sounds like a filter, at most, to me.
Then we should change the language to explain that restricting comments to logged in users means network users, and not per site. Right now, it's "Users must be registered and logged in to comment"
Replying to helenyhou:
Is there actually a way for an end user to join a network site if already registered on the network? If not, seems like that would need changing first, or else this would become extremely frustrating. "Register to comment! Oh no wait, you can't sign up, your email address is already in use."
Not without a plugin, at this time.
If we were going to change the code to be you have to be a member of the site, then it shouldn't behave 100% like a logged out user. Having a way to 'join' a site would be very nice to build in as an option. Multisite locks 'registration' down to the network admin, though. If I turn off signups, no site has them. So it would have to be a per-site option 'allow registered network users to join your site...'
And now we've added layers on layers ;)
comment:6
SergeyBiryukov — 12 months ago
- Component changed from Comments to Multisite
- Keywords ux-feedback added
comment:7
DrewAPicture — 12 months ago
- Cc xoodrew@… added
comment:8
martythornley — 10 months ago
- Cc marty@… added
Replying to nacin:
This is how MU functioned.
Consider a single WP install as a network of one site. In a test single site, create a test user then remove the user's role. Set the discussion settings to registered users can comment. The test user can still comment even though they have no role on the site. The behavior in the network is the same. It isn't a test that the user has a role but a test that the user has a valid account.
This indeed looks like a bug.