WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#20165 closed feature request (duplicate)

Guest might comment with nickname and e-mail of administrator

Reported by: wikicms Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.1
Component: Comments Keywords: needs-patch
Focuses: Cc:
PR Number:

Description

The bug described on http://leks13.ru/2012/02/spam/ (Russian language).
In short - If guest know e-mail of admin, he can make reply (comment) without moderation. May be don't allow guests commented with e-mail of registered users?
Thanks.

Change History (4)

#1 @wikicms
8 years ago

  • Keywords needs-patch added

#2 @dd32
8 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Themes can choose to style registered users comments differently if they choose to do so.

However: #10931

#3 follow-up: @jane
8 years ago

  • Type changed from defect (bug) to feature request

This isn't really bug, it's designed to work this way, so I changed the type to feature request. I discovered this a couple of years ago and did an experiment on a site on wordpress.ocm where @designsimply and I wrote spurious comments on a post masquerading as each other by being not logged in and entering the other's email.

The display of registered users is not the issue, it's a matter of being logged in. The way to prevent fake commenting (and since the email generates the gravatar it looks real to the outsider) for registered users would be to force a login if the email is recognized. For non-registered users, there is no way to verify they are who they say they are unless we started using some external thing (sign in with facebook etc).

I will admit I was up in arms about it a couple of years ago, but the response I got then was that this wasn't really a big problem, and now I tend to agree. Abuse of commenting identity is pretty edge-case, so while I still support forcing a login for registered users, I think the non-registered commenter identity issue is probably best left to a plugin. Suggest closing wontfix since the registered user part already has a 2-year old ticket (that dd32 linked above).

#4 in reply to: ↑ 3 @wikicms
8 years ago

Replying to jane:

I discovered this a couple of years ago and did an experiment on a site on wordpress.ocm where @designsimply and I wrote spurious comments on a post masquerading as each other by being not logged in and entering the other's email.

[Sorry, Offtop] )
It would be nice to do Gravatar opportunity allowed the sites to which you can use my email. Thanks for message Jane.

Note: See TracTickets for help on using tickets.