WordPress.org

Make WordPress Core

Opened 10 years ago

Last modified 19 months ago

#10931 assigned enhancement

Verify Comment Email Addresses of Registered Users

Reported by: mtdewvirus Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 2.8
Component: Comments Keywords: has-patch needs-refresh
Focuses: Cc:

Description

When leaving a comment with an email address of a registered user, WordPress should force the visitor to login or change the email address in the comment form.

Anyone can impersonate a blog's user if they know the user's email address.

Attachments (4)

wp-comments-post.php.diff (713 bytes) - added by scribu 10 years ago.
wp-comments-post.2.diff (668 bytes) - added by ShaneF 10 years ago.
10931.diff (1.4 KB) - added by greuben 9 years ago.
10931-2.diff (2.1 KB) - added by greuben 9 years ago.

Download all attachments as: .zip

Change History (50)

#1 @filosofo
10 years ago

Duplicate of #8646 ?

#2 @Denis-de-Bernardy
10 years ago

Yeah. I closed the old one. See #8646, #2543, #1598.

#3 @scribu
10 years ago

  • Milestone changed from Unassigned to 2.9
  • Version set to 2.8.4

#4 @Denis-de-Bernardy
10 years ago

  • Version changed from 2.8.4 to 1.5

#5 @scribu
10 years ago

  • Keywords changed from comments,email to comments email
  • Owner set to scribu
  • Status changed from new to accepted

#6 @scribu
10 years ago

  • Keywords has-patch added; comments email removed

#7 @ryan
10 years ago

How about get_user_by('email', $comment_author_email)?

#8 @ShaneF
10 years ago

  • Keywords commit added

Works as designed. Changed format to of what ryan had above.

#9 @ryan
10 years ago

Having a means to go back would be nice. Relevant discussion here:

http://core.trac.wordpress.org/ticket/4332#comment:15

#10 @ryan
10 years ago

Maybe this should wait until we can offer a login form instead of just a die or go back. See #11172 for the planned login_form() function which would help here.

#11 @ryan
10 years ago

  • Milestone changed from 2.9 to 3.0
  • Type changed from defect (bug) to task (blessed)

Postponing to 3.0 where we're planning to standardize the login and comment form stuff. That work will make it much easier to offer a good interaction here.

#12 @scribu
10 years ago

  • Cc scribu@… added

#13 @Denis-de-Bernardy
10 years ago

  • Version changed from 1.5 to 2.8.4

#14 @mattrude
10 years ago

  • Cc m@… added

#15 @westi
10 years ago

  • Cc westi added
  • Keywords has-patch commit removed

I agree that it will be better for this to take advantage of #10931 - going to remove commit/has_patch for now as I think it is better to have an implementation which offers a login form so people can continue on and actually comment.

#16 @dd32
10 years ago

I agree that it will be better for this to take advantage of #10931

I agree as well, Without it, This ticket wouldnt exist! :)

#17 follow-up: @hakre
10 years ago

I think westi had some other ticket in mind... but which one?

#18 in reply to: ↑ 17 @westi
10 years ago

Replying to hakre:

I think westi had some other ticket in mind... but which one?

I did #11172 - i.e. display a login form.

#19 follow-up: @rmccue
9 years ago

  • Cc me@… added
  • Keywords needs-patch added

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

#20 in reply to: ↑ 19 @nacin
9 years ago

  • Milestone changed from 3.0 to 3.1

Replying to rmccue:

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

Too late for 3.0 though. Moving to 3.1.

Remains a blessed task.

#21 @scribu
9 years ago

  • Owner scribu deleted
  • Status changed from accepted to assigned

If I don't come up with an updated patch, go on without me... :)

#23 @mdawaffe
9 years ago

This solution is incomplete. If we're going to prevent impersonation, we need to implement CSRF protection for all logged in commentors. The patch on #13791 does this. The proposed code there is hook based, so it's all configurable/extendable. It's also more complicated.

If we go with this method, we'll need to pull in the CSRF stuff from #13791.

#24 @nacin
9 years ago

  • Milestone changed from Awaiting Triage to Future Release
  • Type changed from task (blessed) to enhancement

#25 @scribu
9 years ago

Instead of preventing the user from commenting, I think a better solution would be to accept the comment, but send it to the moderation queue.

There, the comment could have a notification displayed, to the effect of "Possible impersonation".

#26 @scribu
9 years ago

This could be done by storing a custom field on the comment.

#27 @westi
9 years ago

  • Keywords 3.2-early added
  • Milestone changed from Future Release to Awaiting Triage

I'd like us to consider implementing this in 3.2

#28 @westi
9 years ago

  • Milestone changed from Awaiting Triage to Future Release

Use Future Release to constrain 3.2-early

@greuben
9 years ago

#29 @greuben
9 years ago

  • Keywords has-patch added; needs-patch removed

The patch only moves the comment to moderation if it is not spam and email is registered one.

@greuben
9 years ago

#30 @scribu
8 years ago

  • Keywords changed from has-patch, 3.2-early to has-patch 3.2-early

Found out there's a plugin for this: http://wordpress.org/extend/plugins/impostercide/

#31 follow-up: @dd32
8 years ago

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

#32 in reply to: ↑ 31 @greuben
8 years ago

Replying to dd32:

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

10931-2.diff does not move to spam, it moves the comment to moderation queue unless Akismet( or other spam plugins ) mark the comment as spam...

#33 follow-up: @dd32
8 years ago

Sorry, misread the patch as spam rather than pending/moderation queue.

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

#34 in reply to: ↑ 33 @greuben
8 years ago

Replying to dd32:

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

For that, we can set
$comment_approved = -1 or 2;

and comments loop in themes (or wp_list_comments) should do

if( $comment_approved = -1 or 2 ){
echo "blah blah...";
}

#35 @DrewAPicture
7 years ago

#20165 Closed as dup/related.

#36 @jane
7 years ago

  • Keywords needs-refresh added; 3.2-early removed

I would much prefer to force a login than push to moderation.

#37 @nacin
7 years ago

One thing to keep in mind; if a user is suspended/"deleted" or not yet activated, or has lost their password, forcing a login may prevent a comment from occurring temporarily or permanently.

Also, forcing a login here is actually pretty difficult from a technical perspective.

I think a push to moderation would be lame as well. Just pointing out some potential challenges.

#38 @jane
7 years ago

@nacin: I would also be fine with this being in a plugin. :)

#39 @Ipstenu
7 years ago

  • Cc ipstenu@… added

#40 @mark-k
7 years ago

It is not only the impersonation possibility that is problematic, but also that the end result of commenting while logged in and while logged off might be different. When logged off author stylig will not be applied and the comment author URL will not be set to the website field in the user's profile.

Why not have something like

if user not logged in but email matches an active user {
    store comment in spam queue 
    dispatch cron event to be executed an hour later
    redirect to login form with redirect_to set to an admin URL in which the comment can be approved
    once approved duplicate the comment as if it was submitted by the user while he is logged in, remove the original from spam and process the new one
    then redirect to the post in which the comment was made.
}

in the cron event {
  if comment is still marked as spam send a mail to its author telling him to contact the admin about approving that comment
}

Comment initialy marked as spam since the damage of impersonation is probably higher then the damage of one comment being lost.

#41 @cais
7 years ago

  • Cc edward.caissie@… added

#42 @chriscct7
4 years ago

  • Version changed from 2.8.4 to 2.8

This ticket was mentioned in Slack in #core by johnbillion. View the logs.


4 years ago

This ticket was mentioned in Slack in #core by kraft. View the logs.


4 years ago

This ticket was mentioned in Slack in #core-comments by boone. View the logs.


3 years ago

#46 @playjoy
19 months ago

I wanted to report this issue (for bbPress).
I'm amazed the issue still exists after 8 years it was first reported...

Note: See TracTickets for help on using tickets.