WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 8 months ago

Last modified 4 months ago

#7054 closed enhancement (fixed)

Generated avatars should not be shown on moderation pages.

Reported by: podz Owned by: ryan
Milestone: 3.7 Priority: normal
Severity: normal Version:
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

When moderating a lot of comments or checking the akismet queue the presence of an avatar can assist when checking for spammers. If generated avatars are shown on those pages it will increase the time to check comments and could lead to spam being inadvertently approved.

These 2 pages should not show generated avatars.

/edit-comments.php?comment_status=moderated

/edit-comments.php?page=akismet-admin

This does mean that avatar-free users who have had a previous comment approved would not have their generated avatar shown. In this case their avatar would need to be shown.

Attachments (2)

7054.diff (418 bytes) - added by solarissmoke 3 years ago.
7054-2.diff (1.9 KB) - added by solarissmoke 3 years ago.

Download all attachments as: .zip

Change History (22)

comment:1 ryan6 years ago

  • Owner changed from anonymous to ryan

comment:2 Viper007Bond5 years ago

  • Type changed from defect (bug) to enhancement

comment:3 Denis-de-Bernardy5 years ago

  • Component changed from Administration to Comments
  • Keywords needs-patch added
  • Milestone changed from 2.9 to Future Release

comment:4 in reply to: ↑ description ; follow-up: johnbillion4 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Replying to podz:

If generated avatars are shown on those pages it will increase the time to check comments

Negligable. Gravatar CDN probably has less latency then the blog server in many cases.

and could lead to spam being inadvertently approved.

Maybe, maybe not. Not a strong argument though.

Wontfixing due to negligable usefulness and lack of traction in 2 years.

comment:5 in reply to: ↑ 4 ; follow-up: Viper007Bond4 years ago

  • Keywords needs-patch added
  • Milestone set to Future Release
  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to johnbillion:

Negligable. Gravatar CDN probably has less latency then the blog server in many cases.

You're completely missing the point of this ticket. This suggestion has nothing to do with the actual generating rather that spam bots lack a Gravatar, so by removing the generated avatars you can more easily spot posts by spam bots and such.

Tickets also shouldn't be closed without a community consensus IMO.

comment:6 nacin4 years ago

I had to read this ticket five times to realize it was not the same as #13275. I imagine johnbillion read it the same way. At this point, I believe I understand it to show the mystery man (or nothing) instead of, say, a monsterID, when the email doesn't have a gravatar. That makes sense to me.

Tickets also shouldn't be closed without a community consensus IMO.

I'm all for the cleaning of stale tickets by those who have the time and drive to do so. At least a few of us read every comment, so we can jump in and handle if there's any issues or conflicting opinions.

comment:7 in reply to: ↑ 5 ; follow-up: johnbillion4 years ago

Replying to Viper007Bond:

You're completely missing the point of this ticket. This suggestion has nothing to do with the actual generating rather that spam bots lack a Gravatar, so by removing the generated avatars you can more easily spot posts by spam bots and such.

Ah-ha, that phrases the ticket much better and in fact I agree, this sounds like a good idea.

Opposing view just for the sake of argument: If a spammer should sign up for Gravatar (all you need to do to sign up is enter your email address on gravatar.com, click the link in the email and then upload a pic) and then leaves spam comments, would this not make his comment appear more legitimate in the comment admin screen due to the presence of an avatar? Would spammers go to this length?

Replying to Viper007Bond:

Tickets also shouldn't be closed without a community consensus IMO.

This was a stale ticket with small scope and no input in 2 years. As Nacin said, several people sub to wp-trac or the comments or timeline on Trac to keep an eye on closes.

comment:8 in reply to: ↑ 7 Viper007Bond4 years ago

Personally I think we should use the Mystery Man in the admin area, regardless of the settings. The lack of Gravatar would make me think ping/trackback. The advantage of Mystery Man over generated avatars is it's easy to spot.

Replying to johnbillion:

Opposing view just for the sake of argument: If a spammer should sign up for Gravatar (all you need to do to sign up is enter your email address on gravatar.com, click the link in the email and then upload a pic) and then leaves spam comments, would this not make his comment appear more legitimate in the comment admin screen due to the presence of an avatar? Would spammers go to this length?

It is a bit of an arms race, but it makes spamming harder maybe.

solarissmoke3 years ago

comment:9 solarissmoke3 years ago

  • Keywords has-patch added; needs-patch removed

Patch is quite simple - if there is still traction for this.

comment:10 mrmist3 years ago

+1 to this. It'd make scanning through my 700 spams much easier.

Should it apply to recent comments dashboard widget, too?

comment:11 markjaquith3 years ago

This makes sense to me. Might want to update the Gravatar settings text to indicate that the option applies to the front end of the site.

solarissmoke3 years ago

comment:12 solarissmoke3 years ago

Updated the patch to include the dashboard widget and make this explicit in the settings page as suggested by markjaquith. The settings text I've added probably needs to be improved however.

comment:13 Hanni8 months ago

  • Cc h@… added

comment:14 nacin8 months ago

I'm not sure we actually need to update the instructions here.

comment:15 nacin8 months ago

And also, the proposed text isn't strictly true: It only applies for the frontend for comments. We use them for post locks, revisions, the users table, etc. I think this should just be a silent enhancement — too difficult to explain otherwise.

comment:16 nacin8 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 25091:

In the admin, do not use auto-generated Gravatar images for comment authors.

This makes it easier to recognize Gravatars (or lack thereof) when moderating comments.

props solarissmoke.
fixes #7054.

comment:17 nacin8 months ago

  • Milestone changed from Future Release to 3.7

comment:18 follow-up: FrankSwift4 months ago

Is there anyway to disable this functionality? I tend to read my comments in admin and the generic Mystery Man makes it more difficult for me to quickly scan for familiar commenters who don't use Gravatars. I don't have problems with spam as others, so this change is actually a hindrance to me for comment reading and moderation.

comment:19 in reply to: ↑ 18 ; follow-up: SergeyBiryukov4 months ago

Replying to FrankSwift:

Is there anyway to disable this functionality?

I've uploaded a plugin to #25764 which does that.

comment:20 in reply to: ↑ 19 FrankSwift4 months ago

Replying to SergeyBiryukov:

Replying to FrankSwift:

Is there anyway to disable this functionality?

I've uploaded a plugin to #25764 which does that.

Thanks, I'll check it out.

Note: See TracTickets for help on using tickets.