X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/79d2d44db2acc4aeaf60de17d86951e1d7259e1d..07cb6368aa2d6404ea24186be816b2d07afec071:/doc/todo/comments.mdwn

diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn
index bab46a0b2..7a113bee3 100644
--- a/doc/todo/comments.mdwn
+++ b/doc/todo/comments.mdwn
@@ -10,26 +10,21 @@
   > it's hard enough to get some people to title their blog posts :-)
   > --[[smcv]]
 
-* If a spammer posts a comment, it is either impossible or hard to clean
-  up via the web. Would be nice to have some kind of link on the comment
-  that allows trusted users to remove it (using the remove plugin of
-  course).
-
-  > Won't the remove plugin refuse to remove internal pages? This would be
-  > a good feature to have, though. --[[smcv]]
-
-## Patches pending merge
-
-* There is some common code cargo-culted from other plugins (notably inline and editpage) which
-  should probably be shared
-
-  > Actually, there's less of this now than there used to be - a lot of simple
-  > things that were shared have become unshareable as they became more
-  > complex. --[[smcv]]
+## Won't fix
 
-  > There's still goto. You have a branch for that. --[[Joey]] 
+* Because IkiWiki generates static HTML, we can't have a form inlined in
+  page.tmpl where the user fills in an entire comment and can submit it in
+  a single button-press, without being vulnerable to cross-site request forgery.
+  So I'll put this in as wontfix. --[[smcv]]
 
-## Won't fix
+  > Surely there's a way around that?
+  > A web 2.0 way comes to mind: The user clicks on a link
+  > to open the comment post form. While the nasty web 2.0 javascript :)
+  > is manipulating the page to add the form to it, it looks at the cookie
+  > and uses that to insert a sid field.
+  > 
+  > Or, it could have a mandatory preview page and do the CSRF check then.
+  > --[[Joey]]
 
 * It would be useful to have a pagespec that always matches all comments on
   pages matching a glob. Something like `comment(blog/*)`.
@@ -55,6 +50,17 @@
 
 ## Done
 
+* There is some common code cargo-culted from other plugins (notably inline and editpage) which
+  should probably be shared
+
+  > Actually, there's less of this now than there used to be - a lot of simple
+  > things that were shared have become unshareable as they became more
+  > complex. --[[smcv]]
+
+  > There's still goto. You have a branch for that. --[[Joey]] 
+
+  >> Now merged --[[smcv]]
+
 * The default template should have a (?) icon next to unauthenticated users (with the IP address
   as title) and an OpenID icon next to OpenIDs
 
@@ -99,6 +105,7 @@
   > and c42f174e fix another `beautify_urlpath` bug and add a regression test
   > --[[smcv]]
 
+
 * Now that inline has some comments-specific functionality anyway, it would
   be good to output `<link rel="comments">` in Atom and the equivalent in RSS.
 
@@ -142,3 +149,22 @@
   first. --[[smcv]]
 
   > done --[[Joey]]
+
+* If a spammer posts a comment, it is either impossible or hard to clean
+  up via the web. Would be nice to have some kind of link on the comment
+  that allows trusted users to remove it (using the remove plugin of
+  course).
+
+  > Won't the remove plugin refuse to remove internal pages? This would be
+  > a good feature to have, though. --[[smcv]]
+
+  > Here, FWIW, is the first ikiwiki comment spam I've seen:
+  > <http://waldeneffect.org/blog/Snake_bite_information/#blog/Snake_bite_information/comment_1>
+  > So that took about 10 days...
+  > --[[Joey]] 
+
+  >> Implemented in my 'comments' branch, please review. It turns out
+  >> [[plugins/remove]] is happy to remove internal pages, so it was quite
+  >> easy to do. --[[smcv]]
+
+  >>> done --[[Joey]] 
