-Comments are saved as internal pages, so they can never be edited through the CGI,
-only by direct committers. Currently, comments are always in [[ikiwiki/markdown]].
-
-> So, why do it this way, instead of using regular wiki pages in a
-> namespace, such as `$page/comments/*`? Then you could use [[plugins/lockedit]] to
-> limit editing of comments in more powerful ways. --[[Joey]]
-
->> Er... I suppose so. I'd assumed that these pages ought to only exist as inlines
->> rather than as individual pages (same reasoning as aggregated posts), though.
->>
->> lockedit is actually somewhat insufficient, since `check_canedit()`
->> doesn't distinguish between creation and editing; I'd have to continue to use
->> some sort of odd hack to allow creation but not editing.
->>
->> I also can't think of any circumstance where you'd want a user other than
->> admins (~= git committers) and possibly the commenter (who we can't check for
->> at the moment anyway, I don't think?) to be able to edit comments - I think
->> user expectations for something that looks like ordinary blog comments are
->> likely to include "others can't put words into my mouth".
->>
->> My other objection to using a namespace is that I'm not particularly happy about
->> plugins consuming arbitrary pieces of the wiki namespace - /discussion is bad
->> enough already. Indeed, this very page would accidentally get matched by rules
->> aiming to control comment-posting... :-) --[[smcv]]
-
-Directives and raw HTML are filtered out by default, and comment authorship should
-hopefully be unforgeable by CGI users.
-
-> I'm not sure that raw html should be a problem, as long as the
-> htmlsanitizer and htmlbalanced plugins are enabled. I can see filtering
-> out directives, as a special case. --[[Joey]]
-
->> Right, if I sanitize each post individually, with htmlscrubber and either htmltidy
->> or htmlbalance turned on, then there should be no way the user can forge a comment;
->> I was initially wary of allowing meta directives, but I think those are OK, as long
->> as the comment template puts the \[[!meta author]] at the *end*. Disallowing
->> directives is more a way to avoid commenters causing expensive processing than
->> anything else, at this point.
->>
->> I've rebased the plugin on master and made it sanitize individual posts' content now.
->> Disallowing HTML is still optional and on by default, but it's trivial to remove
->> the code. --[[smcv]]
-
-When comments have been enabled generally, you still need to mark which pages
-can have comments, by including the `\[[!comments]]` directive in them. By default,
-this directive expands to a "post a comment" link plus an `\[[!inline]]` with
-the comments.
-
-> I don't like this, because it's hard to explain to someone why they have
-> to insert this into every post to their blog. Seems that the model used
-> for discussion pages could work -- if comments are enabled, automatically
-> add the comment posting form and comments to the end of each page.
-> --[[Joey]]
-
->> I don't think I'd want comments on *every* page (particularly, not the
->> front page). Perhaps a pagespec in the setup file, where the default is "*"?
->> Then control freaks like me could use "link(tags/comments)" and tag pages
->> as allowing comments.
->>
->> The model used for discussion pages does require patching the existing
->> page template, which I was trying to avoid - I'm not convinced that having
->> every possible feature hard-coded there really scales (and obviously it's
->> rather annoying while this plugin is on a branch). --[[smcv]]