Opened 8 years ago
Closed 8 years ago
#38855 closed task (blessed) (fixed)
REST API: Turn off unauthed comment write by default
Reported by: | helen | Owned by: | rmccue |
---|---|---|---|
Milestone: | 4.7 | Priority: | high |
Severity: | major | Version: | |
Component: | REST API | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description
Posting anonymous comments is a long-time feature of WordPress, but also one that is much maligned when it comes to spam and the tightly related issue of pingback DDoS-ing. Per my understanding, writing to the comments endpoint does not allow for anything except the default comment type and is subject to the existing flood protections for comment posting, but I think we should turn off unauthed write by default for the following reasons:
- It does not currently present any significant benefit to have it on by default (open to arguments here, of course); however, given the nature of the internet, one can reasonably assume that spam bots will almost immediately adapt to this new availability.
- Assuming that this becomes even a perceived attack vector, hosts will then block access, much like they often do for XML-RPC, rendering it uselessly on by default and an even more frustrating fix for users.
- Spam and DDoS-ing attacks are some of the biggest perception problems we have as a project when it comes to core; it would be foolish to ship something that blithely repeats those same things because "that's how it currently works". We would been seen as idiots who don't care, and rightfully so IMO. This is of particular concern if the REST API is meant to be positioned to appeal to developers who have otherwise avoided WordPress.
No personal opinion on the filter and/or admin UI route. It is probably going to be kind of weird that you have one UI option to require users to be logged in to comment that doesn't apply to the REST API, as it's off by default. But in any case, this is the sort of thing that right now would be enabled by themes and plugins - we can always revisit in the future should third party experiences that involve unauthed commenting proliferate.
Original GitHub discussion: https://github.com/WP-API/WP-API/pull/693
Attachments (2)
Change History (13)
This ticket was mentioned in Slack in #core-restapi by rachelbaker. View the logs.
8 years ago
#4
@
8 years ago
I agree with this - though it's nice to have unauth'ed comment creation, at least at this point it seems pertinent to err on the side of caution. Themes that want to build comment experiences with the REST API can also use the PHP filter to change this if they wanted. It's more the widespread enabling that I think is likely to be a problem.
#5
@
8 years ago
In 38855.diff I added a filter named rest_allow_anonymous_comments
that defaults to false
to enable opening the endpoint up to anyone/everyone.
The patch causes many of our unit tests to fail, so they will need to updated/adjusted as needed.
I wanted to get this up before I had to step away for baby pickup.
#6
@
8 years ago
Looking good - maybe we should check !== true
just to be a bit more safe, incase someone hooks into to use it as an, accidentally returning null
#7
@
8 years ago
I'm personally for unauthed comment writes by default - however, I don't think it needs to be in the initial release while concerns around it still exist and not everyone is on the same page.
Having it available to be enabled by a filter allows themes to potentially use it if they wish, and should get the attention of anti-spam plugins to review if their plugins still operate as required via the endpoint.
Ah, also, while not necessarily a decisive reason to do this, it does help ease the mind that we won't have any unauthed write on by default in something so new that is about to get a lot more attention :)