WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 15 months ago

#10931 assigned enhancement

Verify Comment Email Addresses of Registered Users

Reported by: mtdewvirus Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 2.8.4
Component: Comments Keywords: has-patch needs-refresh
Focuses: Cc:

Description

When leaving a comment with an email address of a registered user, WordPress should force the visitor to login or change the email address in the comment form.

Anyone can impersonate a blog's user if they know the user's email address.

Attachments (4)

wp-comments-post.php.diff (713 bytes) - added by scribu 4 years ago.
wp-comments-post.2.diff (668 bytes) - added by ShaneF 4 years ago.
10931.diff (1.4 KB) - added by greuben 3 years ago.
10931-2.diff (2.1 KB) - added by greuben 3 years ago.

Download all attachments as: .zip

Change History (45)

comment:1 filosofo5 years ago

Duplicate of #8646 ?

comment:2 Denis-de-Bernardy5 years ago

Yeah. I closed the old one. See #8646, #2543, #1598.

comment:3 scribu5 years ago

  • Milestone changed from Unassigned to 2.9
  • Version set to 2.8.4

comment:4 Denis-de-Bernardy5 years ago

  • Version changed from 2.8.4 to 1.5

comment:5 scribu4 years ago

  • Keywords changed from comments,email to comments email
  • Owner set to scribu
  • Status changed from new to accepted

comment:6 scribu4 years ago

  • Keywords has-patch added; comments email removed

scribu4 years ago

comment:7 ryan4 years ago

How about get_user_by('email', $comment_author_email)?

comment:8 ShaneF4 years ago

  • Keywords commit added

Works as designed. Changed format to of what ryan had above.

ShaneF4 years ago

comment:9 ryan4 years ago

Having a means to go back would be nice. Relevant discussion here:

http://core.trac.wordpress.org/ticket/4332#comment:15

comment:10 ryan4 years ago

Maybe this should wait until we can offer a login form instead of just a die or go back. See #11172 for the planned login_form() function which would help here.

comment:11 ryan4 years ago

  • Milestone changed from 2.9 to 3.0
  • Type changed from defect (bug) to task (blessed)

Postponing to 3.0 where we're planning to standardize the login and comment form stuff. That work will make it much easier to offer a good interaction here.

comment:12 scribu4 years ago

  • Cc scribu@… added

comment:13 Denis-de-Bernardy4 years ago

  • Version changed from 1.5 to 2.8.4

comment:14 mattrude4 years ago

  • Cc m@… added

comment:15 westi4 years ago

  • Cc westi added
  • Keywords has-patch commit removed

I agree that it will be better for this to take advantage of #10931 - going to remove commit/has_patch for now as I think it is better to have an implementation which offers a login form so people can continue on and actually comment.

comment:16 dd324 years ago

I agree that it will be better for this to take advantage of #10931

I agree as well, Without it, This ticket wouldnt exist! :)

comment:17 follow-up: hakre4 years ago

I think westi had some other ticket in mind... but which one?

comment:18 in reply to: ↑ 17 westi4 years ago

Replying to hakre:

I think westi had some other ticket in mind... but which one?

I did #11172 - i.e. display a login form.

comment:19 follow-up: rmccue4 years ago

  • Cc me@… added
  • Keywords needs-patch added

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

comment:20 in reply to: ↑ 19 nacin4 years ago

  • Milestone changed from 3.0 to 3.1

Replying to rmccue:

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

Too late for 3.0 though. Moving to 3.1.

Remains a blessed task.

comment:21 scribu4 years ago

  • Owner scribu deleted
  • Status changed from accepted to assigned

If I don't come up with an updated patch, go on without me... :)

comment:23 mdawaffe4 years ago

This solution is incomplete. If we're going to prevent impersonation, we need to implement CSRF protection for all logged in commentors. The patch on #13791 does this. The proposed code there is hook based, so it's all configurable/extendable. It's also more complicated.

If we go with this method, we'll need to pull in the CSRF stuff from #13791.

comment:24 nacin4 years ago

  • Milestone changed from Awaiting Triage to Future Release
  • Type changed from task (blessed) to enhancement

comment:25 scribu4 years ago

Instead of preventing the user from commenting, I think a better solution would be to accept the comment, but send it to the moderation queue.

There, the comment could have a notification displayed, to the effect of "Possible impersonation".

comment:26 scribu4 years ago

This could be done by storing a custom field on the comment.

comment:27 westi3 years ago

  • Keywords 3.2-early added
  • Milestone changed from Future Release to Awaiting Triage

I'd like us to consider implementing this in 3.2

comment:28 westi3 years ago

  • Milestone changed from Awaiting Triage to Future Release

Use Future Release to constrain 3.2-early

greuben3 years ago

comment:29 greuben3 years ago

  • Keywords has-patch added; needs-patch removed

The patch only moves the comment to moderation if it is not spam and email is registered one.

greuben3 years ago

comment:30 scribu3 years ago

  • Keywords changed from has-patch, 3.2-early to has-patch 3.2-early

Found out there's a plugin for this: http://wordpress.org/extend/plugins/impostercide/

comment:31 follow-up: dd323 years ago

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

comment:32 in reply to: ↑ 31 greuben3 years ago

Replying to dd32:

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

10931-2.diff does not move to spam, it moves the comment to moderation queue unless Akismet( or other spam plugins ) mark the comment as spam...

comment:33 follow-up: dd323 years ago

Sorry, misread the patch as spam rather than pending/moderation queue.

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

comment:34 in reply to: ↑ 33 greuben3 years ago

Replying to dd32:

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

For that, we can set
$comment_approved = -1 or 2;

and comments loop in themes (or wp_list_comments) should do

if( $comment_approved = -1 or 2 ){
echo "blah blah...";
}

comment:35 DrewAPicture2 years ago

#20165 Closed as dup/related.

comment:36 jane2 years ago

  • Keywords needs-refresh added; 3.2-early removed

I would much prefer to force a login than push to moderation.

comment:37 nacin2 years ago

One thing to keep in mind; if a user is suspended/"deleted" or not yet activated, or has lost their password, forcing a login may prevent a comment from occurring temporarily or permanently.

Also, forcing a login here is actually pretty difficult from a technical perspective.

I think a push to moderation would be lame as well. Just pointing out some potential challenges.

comment:38 jane2 years ago

@nacin: I would also be fine with this being in a plugin. :)

comment:39 Ipstenu23 months ago

  • Cc ipstenu@… added

comment:40 mark-k15 months ago

It is not only the impersonation possibility that is problematic, but also that the end result of commenting while logged in and while logged off might be different. When logged off author stylig will not be applied and the comment author URL will not be set to the website field in the user's profile.

Why not have something like

if user not logged in but email matches an active user {
    store comment in spam queue 
    dispatch cron event to be executed an hour later
    redirect to login form with redirect_to set to an admin URL in which the comment can be approved
    once approved duplicate the comment as if it was submitted by the user while he is logged in, remove the original from spam and process the new one
    then redirect to the post in which the comment was made.
}

in the cron event {
  if comment is still marked as spam send a mail to its author telling him to contact the admin about approving that comment
}

Comment initialy marked as spam since the damage of impersonation is probably higher then the damage of one comment being lost.

comment:41 cais15 months ago

  • Cc edward.caissie@… added
Note: See TracTickets for help on using tickets.