WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#7916 closed defect (bug) (wontfix)

Can see others comments which are in moderation

Reported by: marutiborker Owned by:
Milestone: Priority: lowest
Severity: trivial Version:
Component: General Keywords: moderation, security
Focuses: Cc:

Description

If there is a blog where comment are moderated, and if you post a comment using some Name 'x' , email 'y' and website address 'z' . Then it will show the comment as "awaiting moderation". This happens even if d same user revisits the post again. But if another person uses the same x,y,z to post a comment he can see all the comments posted by the first person.

Change History (6)

comment:1 follow-up: @azaozz6 years ago

  • Component changed from Security to General
  • Priority changed from high to lowest
  • Resolution set to wontfix
  • Severity changed from critical to trivial
  • Status changed from new to closed

You are worried that when someone posts a comment and it's held for moderation, someone else may see the comment if accidentally enters exactly the same name and email? What are the chances of this happening (emails are unique, aren't they)? Also comments are public by design, there shouldn't be any private info there.

Closing as wontfix, if there's a good reason to protect comments held for moderation, feel free to reopen.

comment:2 @thee176 years ago

  • Milestone 2.8 deleted

comment:3 in reply to: ↑ 1 @marutiborker6 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

Replying to azaozz:

You are worried that when someone posts a comment and it's held for >moderation, someone else may see the comment if accidentally enters exactly >the same name and email? What are the chances of this happening (emails are >unique, aren't they)?

I know that the chances are really low, but there is some chance right ?

Also comments are public by design, there shouldn't be any private info >there.

If this is true, then why should there be an option of moderating a blog ? If the blog is moderated that means that unless the author approves it, the comment shouldn't be shown.


Closing as wontfix, if there's a good reason to protect comments held for > moderation, feel free to reopen.

Take a scenario, if there is a blog on a very controversial topic, and the author is getting lots of offensive comments, then the author wouldn't want others to see the comments.

I think this should be a lowest priority ticket and i should have known that .

comment:4 follow-up: @mrmist6 years ago

I'd expect this to be required behaviour in order to display comments that are in moderation to the (anonymous) people who left them. Seems like the benefits of coding this are not proportional to the effort required.

comment:5 in reply to: ↑ 4 @marutiborker6 years ago

  • Cc azaozz mrmist added

Replying to mrmist:

I'd expect this to be required behaviour in order to display comments that are in moderation to the (anonymous) people who left them. Seems like the benefits of coding this are not proportional to the effort required.

I would agree that the good amount of work was put on this, but cant we use users ip ( local ip if behind a proxy ) and username,email,website pair to make it more secure ??

comment:6 @azaozz6 years ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

If somebody wants to see the non-moderated comments of a particular commenter, he/she will need to know that commenter's email address and either craft a cookie with it or submit a comment pretending to be that commenter.

Currently WordPress stores the name, email and website entered in the comments form in a cookie in the commenter's browser. This is mainly to pre-fill these fields for returning commenters.

Most themes also use the name and email from the same cookie to identify returning commenters and show them their comments currently held for moderation.

If you need to secure the comments held for moderation, you can either not show them at all or require users to make accounts to be able to comment (then non-moderated comments are filtered by the user login).

Filtering by IP is possible (and easily done by the current theme) but is not that reliable since there may be a lot of users behind the same IP and also IPs change. Either way this is plugin material.

Note: See TracTickets for help on using tickets.