Make WordPress Core

Opened 15 years ago

Last modified 6 weeks ago

#10931 assigned enhancement

Verify Comment Email Addresses of Registered Users

Reported by: mtdewvirus's profile mtdewvirus Owned by:
Milestone: 6.8 Priority: normal
Severity: normal Version:
Component: Comments Keywords: needs-patch
Focuses: Cc:

Description

When leaving a comment with an email address of a registered user, WordPress should force the visitor to login or change the email address in the comment form.

Anyone can impersonate a blog's user if they know the user's email address.

Attachments (4)

wp-comments-post.php.diff (713 bytes) - added by scribu 15 years ago.
wp-comments-post.2.diff (668 bytes) - added by ShaneF 15 years ago.
10931.diff (1.4 KB) - added by greuben 14 years ago.
10931-2.diff (2.1 KB) - added by greuben 14 years ago.

Download all attachments as: .zip

Change History (54)

#1 @filosofo
15 years ago

Duplicate of #8646 ?

#2 @Denis-de-Bernardy
15 years ago

Yeah. I closed the old one. See #8646, #2543, #1598.

#3 @scribu
15 years ago

  • Milestone changed from Unassigned to 2.9
  • Version set to 2.8.4

#4 @Denis-de-Bernardy
15 years ago

  • Version changed from 2.8.4 to 1.5

#5 @scribu
15 years ago

  • Keywords changed from comments,email to comments email
  • Owner set to scribu
  • Status changed from new to accepted

#6 @scribu
15 years ago

  • Keywords has-patch added; comments email removed

#7 @ryan
15 years ago

How about get_user_by('email', $comment_author_email)?

#8 @ShaneF
15 years ago

  • Keywords commit added

Works as designed. Changed format to of what ryan had above.

#9 @ryan
15 years ago

Having a means to go back would be nice. Relevant discussion here:

http://core.trac.wordpress.org/ticket/4332#comment:15

#10 @ryan
15 years ago

Maybe this should wait until we can offer a login form instead of just a die or go back. See #11172 for the planned login_form() function which would help here.

#11 @ryan
15 years ago

  • Milestone changed from 2.9 to 3.0
  • Type changed from defect (bug) to task (blessed)

Postponing to 3.0 where we're planning to standardize the login and comment form stuff. That work will make it much easier to offer a good interaction here.

#12 @scribu
15 years ago

  • Cc scribu@… added

#13 @Denis-de-Bernardy
15 years ago

  • Version changed from 1.5 to 2.8.4

#14 @mattrude
15 years ago

  • Cc m@… added

#15 @westi
15 years ago

  • Cc westi added
  • Keywords has-patch commit removed

I agree that it will be better for this to take advantage of #10931 - going to remove commit/has_patch for now as I think it is better to have an implementation which offers a login form so people can continue on and actually comment.

#16 @dd32
15 years ago

I agree that it will be better for this to take advantage of #10931

I agree as well, Without it, This ticket wouldnt exist! :)

#17 follow-up: @hakre
15 years ago

I think westi had some other ticket in mind... but which one?

#18 in reply to: ↑ 17 @westi
15 years ago

Replying to hakre:

I think westi had some other ticket in mind... but which one?

I did #11172 - i.e. display a login form.

#19 follow-up: @rmccue
15 years ago

  • Cc me@… added
  • Keywords needs-patch added

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

#20 in reply to: ↑ 19 @nacin
15 years ago

  • Milestone changed from 3.0 to 3.1

Replying to rmccue:

We have a login form thanks to #11172 now, so this ticket appears to be ready for a proper patch.

Too late for 3.0 though. Moving to 3.1.

Remains a blessed task.

#21 @scribu
15 years ago

  • Owner scribu deleted
  • Status changed from accepted to assigned

If I don't come up with an updated patch, go on without me... :)

#23 @mdawaffe
15 years ago

This solution is incomplete. If we're going to prevent impersonation, we need to implement CSRF protection for all logged in commentors. The patch on #13791 does this. The proposed code there is hook based, so it's all configurable/extendable. It's also more complicated.

If we go with this method, we'll need to pull in the CSRF stuff from #13791.

#24 @nacin
14 years ago

  • Milestone changed from Awaiting Triage to Future Release
  • Type changed from task (blessed) to enhancement

#25 @scribu
14 years ago

Instead of preventing the user from commenting, I think a better solution would be to accept the comment, but send it to the moderation queue.

There, the comment could have a notification displayed, to the effect of "Possible impersonation".

#26 @scribu
14 years ago

This could be done by storing a custom field on the comment.

#27 @westi
14 years ago

  • Keywords 3.2-early added
  • Milestone changed from Future Release to Awaiting Triage

I'd like us to consider implementing this in 3.2

#28 @westi
14 years ago

  • Milestone changed from Awaiting Triage to Future Release

Use Future Release to constrain 3.2-early

@greuben
14 years ago

#29 @greuben
14 years ago

  • Keywords has-patch added; needs-patch removed

The patch only moves the comment to moderation if it is not spam and email is registered one.

@greuben
14 years ago

#30 @scribu
14 years ago

  • Keywords changed from has-patch, 3.2-early to has-patch 3.2-early

Found out there's a plugin for this: http://wordpress.org/extend/plugins/impostercide/

#31 follow-up: @dd32
14 years ago

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

#32 in reply to: ↑ 31 @greuben
14 years ago

Replying to dd32:

I don't think moving to spam is the ideal method here, Sure, some people will be spamming or attempting to use someone elses details.. but there's also the case of people who are unable to differentiate logging in, and commenting anonymously.

My idea workflow would be for the comment to be marked pending, followed by the commentor being given a login screen, if they can login as that user, the comment is marked as them (and set to approved) and they're redirected back to the posting..

10931-2.diff does not move to spam, it moves the comment to moderation queue unless Akismet( or other spam plugins ) mark the comment as spam...

#33 follow-up: @dd32
14 years ago

Sorry, misread the patch as spam rather than pending/moderation queue.

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

#34 in reply to: ↑ 33 @greuben
14 years ago

Replying to dd32:

I do think that giving the user some kind of feedback of "Hey, your comment has been sent to the queue due to the email address being in use.." would be beneficial to many users who might not "get it"

For that, we can set
$comment_approved = -1 or 2;

and comments loop in themes (or wp_list_comments) should do

if( $comment_approved = -1 or 2 ){
echo "blah blah...";
}

#35 @DrewAPicture
13 years ago

#20165 Closed as dup/related.

#36 @jane
13 years ago

  • Keywords needs-refresh added; 3.2-early removed

I would much prefer to force a login than push to moderation.

#37 @nacin
13 years ago

One thing to keep in mind; if a user is suspended/"deleted" or not yet activated, or has lost their password, forcing a login may prevent a comment from occurring temporarily or permanently.

Also, forcing a login here is actually pretty difficult from a technical perspective.

I think a push to moderation would be lame as well. Just pointing out some potential challenges.

#38 @jane
13 years ago

@nacin: I would also be fine with this being in a plugin. :)

#39 @Ipstenu
13 years ago

  • Cc ipstenu@… added

#40 @mark-k
12 years ago

It is not only the impersonation possibility that is problematic, but also that the end result of commenting while logged in and while logged off might be different. When logged off author stylig will not be applied and the comment author URL will not be set to the website field in the user's profile.

Why not have something like

if user not logged in but email matches an active user {
    store comment in spam queue 
    dispatch cron event to be executed an hour later
    redirect to login form with redirect_to set to an admin URL in which the comment can be approved
    once approved duplicate the comment as if it was submitted by the user while he is logged in, remove the original from spam and process the new one
    then redirect to the post in which the comment was made.
}

in the cron event {
  if comment is still marked as spam send a mail to its author telling him to contact the admin about approving that comment
}

Comment initialy marked as spam since the damage of impersonation is probably higher then the damage of one comment being lost.

#41 @cais
12 years ago

  • Cc edward.caissie@… added

#42 @chriscct7
9 years ago

  • Version changed from 2.8.4 to 2.8

This ticket was mentioned in Slack in #core by johnbillion. View the logs.


9 years ago

This ticket was mentioned in Slack in #core by kraft. View the logs.


9 years ago

This ticket was mentioned in Slack in #core-comments by boone. View the logs.


9 years ago

#46 @playjoy
7 years ago

I wanted to report this issue (for bbPress).
I'm amazed the issue still exists after 8 years it was first reported...

#47 @SergeyBiryukov
5 years ago

#49527 was marked as a duplicate.

#48 @bookdude13
5 years ago

Renewing interest in this. The main issues still to handle appear to be:

  • How to deal with expired nonces in cached pages
  • How to handle comments by anonymous or logged-out users (are they treated as anonymous, or are they treated as "normal" after a successful login?)

For expired nonces, one of these solutions could be explored.

For comments by logged-out users, some type of caching, queuing, or extra verification before the post seems to be the consensus?

#49 @farhadvn
4 years ago

i used a function for this problem! Of course, it may not be up to WordPress standards, but I hope it helps

function useremailcheck($approved){
 // example function
$email = filter_var($_POST["email"],FILTER_SANITIZE_EMAIL) ?: null;
// this SANITIZE is after wordpress validation, so this filter is not make sense, however wordpress devs can delete or replace it with a standard wordpress var.
if(is_user_logged_in() === false
// check if 1. user is not loggedin
 && isset($email)
 // 2. email is set
&& get_user_by("email",$email) !== false
// 3. we have an user with this email
&& $approved != "spam"
// 4. not marked as spam before
){
 $approved = 0;
// Force pending even if comments are open to all
 }
  return $approved;
}

add_action("pre_comment_approved","useremailcheck",999);

#50 @azaozz
6 weeks ago

  • Keywords needs-patch added; has-patch needs-refresh removed
  • Milestone changed from Future Release to 6.8
  • Version 2.8 deleted

Lets revisit this for 6.8.

Thinking that the idea to keep comments from existing users that are not logged-in in the moderation queue seems best. Such comments can be labelled in a specific way on the Comments screen so they would draw more attention.

One caveat with this idea may be comments by users that cannot moderate comments. In this case they may have to ask somebody else to approve their comments.

Alternatively the approach from https://core.trac.wordpress.org/attachment/ticket/10931/wp-comments-post.2.diff makes the most sense as it deals with this case as a "commenting error".

Note: See TracTickets for help on using tickets.