[[!template id=plugin name=comments author="[[Simon_McVittie|smcv]]"]] [[!tag type/useful]] This plugin adds "blog-style" comments. The intention is that on a non-wiki site (like a blog) you can lock all pages for admin-only access, then allow otherwise unprivileged (or perhaps even anonymous) users to comment on posts. When using this plugin, you should also enable [[htmlscrubber]] and either [[htmltidy]] or [[htmlbalance]]. Directives are filtered out by default, to avoid commenters slowing down the wiki by causing time-consuming processing. As long as the recommended plugins are enabled, comment authorship should hopefully be unforgeable by CGI users. > I'm not sure that raw html should be a problem, as long as the > htmlsanitizer and htmlbalanced plugins are enabled. I can see filtering > out directives, as a special case. --[[Joey]] >> Right, if I sanitize each post individually, with htmlscrubber and either htmltidy >> or htmlbalance turned on, then there should be no way the user can forge a comment; >> I was initially wary of allowing meta directives, but I think those are OK, as long >> as the comment template puts the \[[!meta author]] at the *end*. Disallowing >> directives is more a way to avoid commenters causing expensive processing than >> anything else, at this point. >> >> I've rebased the plugin on master, made it sanitize individual posts' content >> and removed the option to disallow raw HTML. Sanitizing individual posts before >> they've been htmlized required me to preserve whitespace in the htmlbalance >> plugin, so I did that. Alternatively, we could htmlize immediately and always >> save out raw HTML? --[[smcv]] >> There might be some use cases for other directives, such as img, in >> comments. >> >> I don't know if meta is "safe" (ie, guaranteed to be inexpensive and not >> allow users to do annoying things) or if it will continue to be in the >> future. Hard to predict really, all that can be said with certainty is >> all directives will contine to be inexpensive and safe enough that it's >> sensible to allow users to (ab)use them on open wikis. >> --[[Joey]] The plugin adds a new [[ikiwiki/PageSpec]] match type, `postcomment`, for use with `anonok_pagespec` from the [[plugins/anonok]] plugin or `locked_pages` from the [[plugins/lockedit]] plugin. Typical usage would be something like: locked_pages => "!postcomment(*)" to allow non-admin users to comment on pages, but not edit anything. You can also do anonok_pages => "postcomment(*)" to allow anonymous comments (the IP address will be used as the "author"). There are some global options for the setup file: * `comments_shown_pagespec`: pages where comments will be displayed inline, e.g. `blog/*` or `*/discussion`. * `comments_open_pagespec`: pages where new comments can be posted, e.g. `blog/* and created_after(close_old_comments)` or `*/discussion` * `comments_pagename`: if this is e.g. `comment_` (the default), then comments on the [[sandbox]] will be called something like `sandbox/comment_12` * `comments_allowdirectives`: if true (default false), comments may contain IkiWiki directives * `comments_commit`: if true (default true), comments will be committed to the version control system This plugin aims to close the [[todo]] item "[[todo/supporting_comments_via_disussion_pages]]", and is currently available from [[smcv]]'s git repository on git.pseudorandom.co.uk (it's the `postcomment` branch). A demo wiki with the plugin enabled is running at . Known issues: * Needs code review * The access control via postcomment() is rather strange * There is some common code cargo-culted from other plugins (notably inline and editpage) which should probably be shared > I haven't done a detailed code review, but I will say I'm pleased you > avoided re-implementing inline! --[[Joey]] Wishlist: * tbm would like anonymous people to be able to enter their name and possibly email address * smcv would like an indication of who you're posting as / the ability to log in as someone else (even if anonymous comments are allowed, it'd be nice to be able to choose to log in with a username or OpenID, like in Livejournal); perhaps editpage needs this too