X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/9bee6db8c604efd705d6d808fca3194eb4873cf4..09d7cab02f5989522b51c43eccef43177512fbf1:/doc/todo/comments.mdwn
diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn
index a2c1deeb3..7a113bee3 100644
--- a/doc/todo/comments.mdwn
+++ b/doc/todo/comments.mdwn
@@ -10,15 +10,56 @@
> it's hard enough to get some people to title their blog posts :-)
> --[[smcv]]
-* If a spammer posts a comment, it is either impossible or hard to clean
- up via the web. Would be nice to have some kind of link on the comment
- that allows trusted users to remove it (using the remove plugin of
- course).
+## Won't fix
- > Won't the remove plugin refuse to remove internal pages? This would be
- > a good feature to have, though. --[[smcv]]
+* Because IkiWiki generates static HTML, we can't have a form inlined in
+ page.tmpl where the user fills in an entire comment and can submit it in
+ a single button-press, without being vulnerable to cross-site request forgery.
+ So I'll put this in as wontfix. --[[smcv]]
+
+ > Surely there's a way around that?
+ > A web 2.0 way comes to mind: The user clicks on a link
+ > to open the comment post form. While the nasty web 2.0 javascript :)
+ > is manipulating the page to add the form to it, it looks at the cookie
+ > and uses that to insert a sid field.
+ >
+ > Or, it could have a mandatory preview page and do the CSRF check then.
+ > --[[Joey]]
+
+* It would be useful to have a pagespec that always matches all comments on
+ pages matching a glob. Something like `comment(blog/*)`.
+ Perhaps postcomment could also be folded into this? Then the pagespec
+ would match both existing comments, as well as new comments that are
+ being posted.
+
+ > Please see [[plugins/comments/discussion]]. If I've convinced you that
+ > internal pages are the way forward, then sure, we can do that, because
+ > people who can comment still won't be able to edit others' comments
+ > (one of my goals is that commenters can't put words into each other's
+ > mouths :-) )
+ >
+ > On the other hand, if you still want me to switch this plugin to "real"
+ > pages, or if internal pages might become editable in future, then
+ > configuring lockedit/anonok so a user X can add comments to blog pages
+ > would also let X edit/delete comments on blog pages (including those
+ > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]]
-## Patches pending merge
+ > I had a look at implementing comment() and fell afoul of
+ > some optimisations that assume only internal() will be used to match
+ > internal pages. So probably this isn't worth doing. --[[Joey]]
+
+## Done
+
+* There is some common code cargo-culted from other plugins (notably inline and editpage) which
+ should probably be shared
+
+ > Actually, there's less of this now than there used to be - a lot of simple
+ > things that were shared have become unshareable as they became more
+ > complex. --[[smcv]]
+
+ > There's still goto. You have a branch for that. --[[Joey]]
+
+ >> Now merged --[[smcv]]
* The default template should have a (?) icon next to unauthenticated users (with the IP address
as title) and an OpenID icon next to OpenIDs
@@ -64,43 +105,12 @@
> and c42f174e fix another `beautify_urlpath` bug and add a regression test
> --[[smcv]]
+
* Now that inline has some comments-specific functionality anyway, it would
be good to output `` in Atom and the equivalent in RSS.
> Fixed in my comments branch by d0d598e4, 3feebe31, 9e5f504e --[[smcv]]
-## Won't fix
-
-* There is some common code cargo-culted from other plugins (notably inline and editpage) which
- should probably be shared
-
- > Actually, there's less of this now than there used to be - a lot of simple
- > things that were shared have become unshareable as they became more
- > complex. --[[smcv]]
-
-* It would be useful to have a pagespec that always matches all comments on
- pages matching a glob. Something like `comment(blog/*)`.
- Perhaps postcomment could also be folded into this? Then the pagespec
- would match both existing comments, as well as new comments that are
- being posted.
-
- > Please see [[plugins/comments/discussion]]. If I've convinced you that
- > internal pages are the way forward, then sure, we can do that, because
- > people who can comment still won't be able to edit others' comments
- > (one of my goals is that commenters can't put words into each other's
- > mouths :-) )
- >
- > On the other hand, if you still want me to switch this plugin to "real"
- > pages, or if internal pages might become editable in future, then
- > configuring lockedit/anonok so a user X can add comments to blog pages
- > would also let X edit/delete comments on blog pages (including those
- > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]]
-
- > I had a look at implementing comment() and fell afoul of
- > some optimisations that assume only internal() will be used to match
- > internal pages. So probably this isn't worth doing. --[[Joey]]
-
-## Done
* Add `COMMENTOPENID`: the authenticated/verified user name, if and only if it was an OpenID
@@ -139,3 +149,22 @@
first. --[[smcv]]
> done --[[Joey]]
+
+* If a spammer posts a comment, it is either impossible or hard to clean
+ up via the web. Would be nice to have some kind of link on the comment
+ that allows trusted users to remove it (using the remove plugin of
+ course).
+
+ > Won't the remove plugin refuse to remove internal pages? This would be
+ > a good feature to have, though. --[[smcv]]
+
+ > Here, FWIW, is the first ikiwiki comment spam I've seen:
+ >
+ > So that took about 10 days...
+ > --[[Joey]]
+
+ >> Implemented in my 'comments' branch, please review. It turns out
+ >> [[plugins/remove]] is happy to remove internal pages, so it was quite
+ >> easy to do. --[[smcv]]
+
+ >>> done --[[Joey]]