Make WordPress Core

Opened 8 years ago

Closed 6 years ago

#28617 closed defect (bug) (fixed)

comments_popup should not be allowed to be access directly

Reported by: eduplessis Owned by: rachelbaker
Milestone: 4.5 Priority: normal
Severity: minor Version: 0.71
Component: Comments Keywords:
Focuses: Cc:

Description

Fresh install of WordPress... Or even on WordPress.com you can access the comments_popup page directly by typing ?comments_popup=postid.

ex: http://matt.wordpress.com/?comments_popup=7101

proposing fix if there is no template comments-popup.php in the template folder do not display the fallback.

it's from 0.71 but all version have the same issue.

Attachments (2)

28617.diff (20.8 KB) - added by johnbillion 6 years ago.
28617.2.diff (22.0 KB) - added by peterwilsoncc 6 years ago.

Download all attachments as: .zip

Change History (25)

#1 follow-up: @johnbillion
8 years ago

  • Severity changed from normal to minor

I wonder if anyone actually uses the comments popup?

#2 in reply to: ↑ 1 ; follow-up: @eduplessis
8 years ago

Replying to johnbillion:

I wonder if anyone actually uses the comments popup?

I know but even if nobody use it the direct like is gonna work.

Typical case of the problem...

  • User install WordPress
  • forgot to remove comments allowed in the setting
  • Make multiple post and page or/and custom post type
  • In is theme he don't have any function or template to make comments
  • looking good put the site online
  • receiving a lot of spam comments because the direct acces work

#3 in reply to: ↑ 2 ; follow-up: @johnbillion
8 years ago

  • Milestone changed from Awaiting Review to Future Release

Replying to eduplessis:

I know but even if nobody use it the direct link is gonna work.

Yeah. What I meant was, this is an ancient feature which we could probably just remove altogether.

#4 in reply to: ↑ 3 @eduplessis
8 years ago

Replying to johnbillion:

Replying to eduplessis:

I know but even if nobody use it the direct link is gonna work.

Yeah. What I meant was, this is an ancient feature which we could probably just remove altogether.

Oh sorry... :)

100% with you, but if we want to support older theme that use it, we have to keep it until someone take the decision to drop it.

#5 @rachelbaker
6 years ago

  • Keywords needs-patch added

This needs a patch to remove support for this legacy "feature"

@johnbillion
6 years ago

#6 follow-up: @johnbillion
6 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

In 28617.diff:

  • Deprecates and no-ops get_comments_popup_template(), is_comments_popup(), comments_popup_script(), and popuplinks().
  • Removes the comments_popup parameter in WP_Query and the public comments_popup query var.
  • Removes the comments popup template from the template hierarchy.
  • Removes theme-compat/comments-popup.php.

Combined, this entirely removes the popup comments template functionality. If a theme is actually using popup comments, it's going to stop functioning as expected with this change, but won't fatal.

It's 2015, so if any theme is using popup comments then I don't care enough about breaking it, but it would be good to know if there are any themes around which are using this functionality (any which are need to call the comments_popup_script() function, so that would be a good place to start if anyone wants to run a search).

#7 @johnbillion
6 years ago

  • Keywords 2nd-opinion removed
  • Milestone changed from Future Release to 4.4

This functionality is just as popular as I expected it to be. A search across the theme directory (thanks @jorbin) shows that three themes are using popup comments, and none of them have been updated within the last six years.

Let's do this.

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


6 years ago

#9 @peterwilsoncc
6 years ago

As I mentioned in Slack, I have some concerns loosing a comment only end-point.

The endpoint makes a nice non-JavaScript fallback for lazy loaded comments. Lazy loading comments is becoming more popular as a technique & I expect use to increase once the REST API hits core.

Maintaining the end-point allows a fallback to be encouraged, no matter how little it's used.

Happy for the functions generating the link to be deprecated.

Testing required a refresh against trunk, no matter my thoughts, it is attached in 28617.2.diff

#10 @wonderboymusic
6 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

#11 @rachelbaker
6 years ago

@johnbillion Should this ticket remain open pending feedback from a Make Core post? Or did you have a specific next action in mind?

#12 @johnbillion
6 years ago

  • Keywords 4.5-early added
  • Milestone changed from 4.4 to Future Release

#13 @rachelbaker
6 years ago

  • Keywords 4.5-early removed
  • Milestone changed from Future Release to 4.5

#14 @johnbillion
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 35848:

Comments: The year is 2003. Permalinks are a new thing and everyone's using Blogger. It's a time when opening a modal window in JavaScript to view a section of a website is not a completely weird thing, although many users get annoyed by it. b2 has recently become WordPress, and with it comes a bunch of functionality that will become stale over the next decade, remnants of simpler times.

Twelve years later, after no fewer than three themes have intentionally implemented popup comments in their functionality, before being abandoned for at least the last six years, we've reached a time where we can put this era behind us. A time when we can remove comment popup functionality from WordPress.

If this breaks the internet, I'll eat my hat.

Fixes #28617

#15 @johnbillion
6 years ago

In 35849:

Comments: Commit tests missed in [35848].

See #28617

#16 @DrewAPicture
6 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

On [35848], for back-compat (graceful degradation) we should actually deprecate the WP_Query property and any parameters in the class methods instead of just removing them. The language used in the changelog entry should also be "deprecate" not "remove".

#17 @johnbillion
6 years ago

  • Keywords has-patch removed

I'm actually going to let this soak right through until 4.5 beta, to see if any problems are reported.

#18 in reply to: ↑ 6 @drrobotnik
6 years ago

Replying to johnbillion:

In 28617.diff:

  • Deprecates and no-ops get_comments_popup_template(), is_comments_popup(), comments_popup_script(), and popuplinks().
  • Removes the comments_popup parameter in WP_Query and the public comments_popup query var.
  • Removes the comments popup template from the template hierarchy.
  • Removes theme-compat/comments-popup.php.

Combined, this entirely removes the popup comments template functionality. If a theme is actually using popup comments, it's going to stop functioning as expected with this change, but won't fatal.

It's 2015, so if any theme is using popup comments then I don't care enough about breaking it, but it would be good to know if there are any themes around which are using this functionality (any which are need to call the comments_popup_script() function, so that would be a good place to start if anyone wants to run a search).

This thread is about comment_popups. I'm wondering if it makes sense to remove popuplinks entirely since it's a general use fn, not specifically related to comments.

This ticket was mentioned in Slack in #core by chriscct7. View the logs.


6 years ago

#20 @chriscct7
6 years ago

We should publish a make post about it's removal a day after RC1 per discussion on slack

#21 @rachelbaker
6 years ago

@johnbillion No complaints so far, you okay with this staying in 4.5?

#22 @rachelbaker
6 years ago

  • Owner changed from johnbillion to rachelbaker
  • Status changed from reopened to assigned

#23 @johnbillion
6 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.