X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/79d2d44db2acc4aeaf60de17d86951e1d7259e1d..251fe8dae6e0bdf5a3d3ad4fc413b2163fecbb75:/doc/todo/comments.mdwn
diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn
index bab46a0b2..7a113bee3 100644
--- a/doc/todo/comments.mdwn
+++ b/doc/todo/comments.mdwn
@@ -10,26 +10,21 @@
> it's hard enough to get some people to title their blog posts :-)
> --[[smcv]]
-* If a spammer posts a comment, it is either impossible or hard to clean
- up via the web. Would be nice to have some kind of link on the comment
- that allows trusted users to remove it (using the remove plugin of
- course).
-
- > Won't the remove plugin refuse to remove internal pages? This would be
- > a good feature to have, though. --[[smcv]]
-
-## Patches pending merge
-
-* There is some common code cargo-culted from other plugins (notably inline and editpage) which
- should probably be shared
-
- > Actually, there's less of this now than there used to be - a lot of simple
- > things that were shared have become unshareable as they became more
- > complex. --[[smcv]]
+## Won't fix
- > There's still goto. You have a branch for that. --[[Joey]]
+* Because IkiWiki generates static HTML, we can't have a form inlined in
+ page.tmpl where the user fills in an entire comment and can submit it in
+ a single button-press, without being vulnerable to cross-site request forgery.
+ So I'll put this in as wontfix. --[[smcv]]
-## Won't fix
+ > Surely there's a way around that?
+ > A web 2.0 way comes to mind: The user clicks on a link
+ > to open the comment post form. While the nasty web 2.0 javascript :)
+ > is manipulating the page to add the form to it, it looks at the cookie
+ > and uses that to insert a sid field.
+ >
+ > Or, it could have a mandatory preview page and do the CSRF check then.
+ > --[[Joey]]
* It would be useful to have a pagespec that always matches all comments on
pages matching a glob. Something like `comment(blog/*)`.
@@ -55,6 +50,17 @@
## Done
+* There is some common code cargo-culted from other plugins (notably inline and editpage) which
+ should probably be shared
+
+ > Actually, there's less of this now than there used to be - a lot of simple
+ > things that were shared have become unshareable as they became more
+ > complex. --[[smcv]]
+
+ > There's still goto. You have a branch for that. --[[Joey]]
+
+ >> Now merged --[[smcv]]
+
* The default template should have a (?) icon next to unauthenticated users (with the IP address
as title) and an OpenID icon next to OpenIDs
@@ -99,6 +105,7 @@
> and c42f174e fix another `beautify_urlpath` bug and add a regression test
> --[[smcv]]
+
* Now that inline has some comments-specific functionality anyway, it would
be good to output `` in Atom and the equivalent in RSS.
@@ -142,3 +149,22 @@
first. --[[smcv]]
> done --[[Joey]]
+
+* If a spammer posts a comment, it is either impossible or hard to clean
+ up via the web. Would be nice to have some kind of link on the comment
+ that allows trusted users to remove it (using the remove plugin of
+ course).
+
+ > Won't the remove plugin refuse to remove internal pages? This would be
+ > a good feature to have, though. --[[smcv]]
+
+ > Here, FWIW, is the first ikiwiki comment spam I've seen:
+ >
+ > So that took about 10 days...
+ > --[[Joey]]
+
+ >> Implemented in my 'comments' branch, please review. It turns out
+ >> [[plugins/remove]] is happy to remove internal pages, so it was quite
+ >> easy to do. --[[smcv]]
+
+ >>> done --[[Joey]]