1 [[!template id=gitbranch branch=smcv/ready/comments author="[[smcv]]"
2 browse="http://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/ready/comments"]]
3 [[!tag patch users/smcv/ready]]
5 The ability to post comments depends on several factors:
7 * `comments_pagespec` controls whether comments on a particular
9 * `comments_closed_pagespec` controls whether comments on
10 a particular page are allowed
11 * the `check_canedit` call controls whether comments are allowed
12 for a particular combination of page and user
14 If `check_canedit` says that a user can post a comment
15 (in particular, if [[plugins/opendiscussion]] is enabled or
16 [[plugins/lockedit]] is disabled or permissive),
17 and `comments_closed_pagespec` does not contradict it,
18 then users who construct a `do=comment` CGI URL manually
19 can post comments that will not be displayed. I don't think
20 this is a security flaw as such, which is why I'm not
21 reporting it privately, but it violates least-astonishment.
23 My `ready/comments` branch fixes this, by changing the test
24 at submission time from (pseudocode)
26 !comments_closed_pagespec && check_canedit
30 comments_pagespec && !comments_closed_pagespec && check_canedit
34 > [[merged|done]] --[[smcv]]