WordPress.org

Make WordPress Core

Opened 8 weeks ago

Last modified 3 weeks ago

#43857 new defect (bug)

Show the comment / awaiting moderation message even without opt-in

Reported by: imath Owned by:
Milestone: 4.9.8 Priority: normal
Severity: normal Version: 4.9.6
Component: Privacy Keywords: has-patch gdpr needs-testing
Focuses: Cc:

Description

In #43436 a new opt-in checkbox was introduced which is great. But It seems very confusing to me to not have the feedback i used to have before when i've just commented a post: "Your comment is awaiting moderation".

Today when you comment, you have no ideas if the comment was successfully saved. Moreover the Anchor added to the URL in this case leads to nowhere as the comment has not been added to the page.

I think it would be nice to try to preserve this feedback so i'm suggesting the attached patch.

I prefered to open a new ticket about it to avoid bringing some noise to the existing one (#43436), in case you think my approach is a bad idea.

Attachments (3)

43857.patch (7.0 KB) - added by imath 8 weeks ago.
43857.2.patch (7.1 KB) - added by imath 8 weeks ago.
Make sure the complete form is cleaned.
43857.3.patch (7.5 KB) - added by imath 5 weeks ago.
Refresh the patch & make sure potential query vars added by plugins are not altered

Download all attachments as: .zip

Change History (29)

@imath
8 weeks ago

#1 @xkon
8 weeks ago

  • Keywords gdpr 2nd-opinion added

Hey @imath thanks for the info + the patch.

Just to be clear this concerns the redirect done when you did not opt-in for the cookie.

I did a test and I realised this: when you are redirected without opting-in, even though you don't have a cookie (so we're ok there), the form is again pre-filled. On the 2nd 'refresh' or going out & re-entering the page again the comment is vanished of course and the form is clean (we're ok here also).

Having the form prefilled since I'm getting a refresh when I hit the comment button is basically going against the text of the consent as I personally understand it since I skiped the 'save' basically and I'm even more confused now.

Would there be a way of having the form clean and clear as well and just view the comment that has the moderation message? This will surely look more in-line with what we're trying to achieve with the opt-in :) even for just the visual aspect if that makes sense?

I'll add gdpr here as well so we can have it on our list for some extra opinions.

#2 @imath
8 weeks ago

Hi @xkon

Just to be clear this concerns the redirect done when you did not opt-in for the cookie.

Absolutely, sorry i forgot to mention it in my description :)

Would there be a way of having the form clean and clear as well and just view the comment that has the moderation message?

Sure, i'm adding this need in a new version of the patch (43857.2.patch)

@imath
8 weeks ago

Make sure the complete form is cleaned.

#3 @xkon
8 weeks ago

Thanks for that fast update! This looks perfect front-end wise to me now.

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


8 weeks ago

#5 @xkon
8 weeks ago

  • Summary changed from GDPR compliance shoud not confuse a user who just commented to Show the comment / awaiting moderation message even without opt-in

#6 @xkon
8 weeks ago

  • Keywords needs-testing added; 2nd-opinion removed

This ticket was mentioned in Slack in #gdpr-compliance by xkon. View the logs.


8 weeks ago

#8 @desrosj
8 weeks ago

  • Milestone changed from Awaiting Review to 4.9.6

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


8 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


7 weeks ago

#11 @desrosj
7 weeks ago

  • Milestone changed from 4.9.6 to 4.9.7

#12 @imath
7 weeks ago

Hi @desrosj

I usually do not discuss "punting" decisions, I know you and the Core team are doing a great job using a time you could use for something else. I just wanted to let you know although I respect your decision about this ticket i think you took a very wrong one.

4.9.6 is a minor release, yes.. But it will be automatically upgraded for the wide majority of WordPress sites. This means your decision to leave a regression GDPR compliance adjustments introduced into the existing user experience won't be avoidable by these sites.

So if you stay on this line, which given what you consider a "tricky" approach needing test cases about cache consideration is totally understandable, I do advise you to communicate to this wide majority of WordPress sites (eg: at least on make.wordpress.org/core) about the fact that when 4.9.6 will be upgraded to their site : there will be great chances the administrator of these sites will receive similar comments by the same people or questions by people who commented that are unsure their comment was saved etc... because the user did not activate the "cookies consent" checkbox and you decided to postpone this issue to the next minor release.

imho : it's a risky situation because some people might think they have a worse user experience because they didn't consent to store some of their personal data into cookies :(

Anyways, i prefer to inform here I just made a plugin on GitHub in case Administrators want to make sure their users won't have to suffer from this regression until 4.9.7 : https://github.com/imath/gdpr-compliance-is-not-a-worse-user-experience

#13 @desrosj
7 weeks ago

@imath thank you for the detailed response! I appreciate the feedback and it really helps us prioritize things.

Instead of just moving the ticket, I should have provided proper context when I moved it out of the milestone. We moved this out based on discussion in two consecutive bug scrubs from multiple people that they didn't have the bandwidth to give this one the proper testing.

We decided to punt based on that with the knowledge that it could be added back to the milestone when someone was able to give it a proper review, and that bug fixes can be committed after the beta (which is this Tuesday). Also, we are using 4.9.7 currently for things we are not sure we can get to, but should be next on our list (as opposed to Awaiting Review, Future Release, etc..

Looping in @allendav and @azaozz so that they are aware of your thoughts on this one. Sorry again for not providing context when changing milestone!

#14 @imath
7 weeks ago

@desrosj many thanks to you for the explanation and it’s ok, I can imagine how it musts be time consuming if you’d explain every punt decisions. No worries.

I still have understanding difficulties about the 4.9.6/4.9.7 dance, but it’s probably because i’m too anxious about this issue i’m considering as a blocker for 4.9.6 ;)

This ticket was mentioned in Slack in #gdpr-compliance by audrasjb. View the logs.


6 weeks ago

This ticket was mentioned in Slack in #core by desrosj. View the logs.


6 weeks ago

This ticket was mentioned in Slack in #gdpr-compliance by desrosj. View the logs.


6 weeks ago

#18 @allendav
6 weeks ago

At this late stage (of 4.9.6), I think we should just

1) add a filter to disable the 43436 behavior and 2) also fix the persistent form-fill-in that @xkon notes in the first comment on this ticket

Will that help @imath ? It should give us time to come up with a robust solution for moderation without opt-in

#19 @imath
6 weeks ago

@allendav Thanks for looking at this bug. I really appreciate your consideration.

FYI 43857.patch was leaving the form filled for next comments, and 43857.2.patch is fixing that form-fill-in.

Then, sorry but I'm not sure to understand your plan for this late stage. If I rephrase does this mean :

  1. Introduce a filter that would prevent the opt-in checkbox about cookies consent to be displayed on the comment form
  2. Store cookies to make sure the awaiting moderation message is still displayed to the user so that he sees his comment was saved but make sure the form is emptied for next comments ?

I think 1. can already be achieved filtering comment_form_default_fields and 2. seems a weird behavior to me because it looks like hiding cookies are saved so i'm probably misunderstanding.

Options i see :

  1. If losing the information "your comment is awaiting moderation" is not a regression for comment authors, then fine, let's just remove the anchor to the comment that is appended to the redirect URL when ! $cookies_consent. Because it leads to nowhere in the comments list of the loaded page.
  1. If losing the information "your comment is awaiting moderation" is a regression for comment authors :
  • the comment ID needs to be added as a query var to the URL so that it's possible to include the comment at next page load (for example the attached 43857.2.patch).
  • or you can wp_die( '<p>Your comment is awaiting moderation</p>', 'Comment awaiting moderation', array( 'back_link' => true ) );

@imath
5 weeks ago

Refresh the patch & make sure potential query vars added by plugins are not altered

#20 @desrosj
5 weeks ago

  • Component changed from Comments to Privacy

Moving to the new Privacy component.

#21 @desrosj
5 weeks ago

  • Version changed from trunk to 4.9.6

Marking privacy bugs as introduced in 4.9.6.

#22 @lakenh
4 weeks ago

#44160 was marked as a duplicate.

This ticket was mentioned in Slack in #core by lakenh. View the logs.


4 weeks ago

#24 @desrosj
4 weeks ago

  • Milestone changed from 4.9.7 to 4.9.8

Moving all tickets in 4.9.7 to 4.9.8.

#25 @jeremyclarke
4 weeks ago

FWIW I want to +1 the view that this is a tremendous problem that should have been a blocker for the update. It fails silently in a very bad way and in a way that is very hard to test. Only dev teams doing very detailed QA will have noticed this problem, especially because it won't affect any site admins (who are of course logged in).

On top of this, many themes over the years use other methods to generate comment forms, in which case the consent checkbox doesn't show at all. In that scenario this situation is even worse, because the cookie is never generated and no one sees the moderation message.

If the site I manage had auto-updated without my intervention and testing first, our commenting would have become incoherent because this patch wasn't included. In a point release.

---

Other thought: Having this work properly by default (moderation message always shows regardless of cookie) is very important because many sites should just choose to ditch the cookie and it's consent woes entirely.

It's really not a big deal to fill out comments again, and honestly I'd rather have the form and privacy policy be simpler. It strikes me that if this cookie-based feature didn't already exist in core, it would never get added now that GDPR makes it such a headache for everyone involved.

Just looking at #43436 and all the important information @johnjamesjacoby brought up that should be shown with the checkbox, but isn't for usability reasons, really drives this home.

As site admins, opting out of the comment cookie entirely is the killer feature. Excited for this patch to be added ASAP.

#26 @superpoincare
3 weeks ago

Also, I want to raise this point:

Let's say I use Twenty Seventeen, and uncheck "Comment author must fill out name and email" in Discussion settings.

Then some visitor to my site comments and only enters the name but not the email or maybe neither. Then what?

Note: See TracTickets for help on using tickets.