X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/blobdiff_plain/9bee6db8c604efd705d6d808fca3194eb4873cf4..4a108fa36b4c6a7d8436c37be55ed35675211997:/doc/todo/comments.mdwn diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn index a2c1deeb3..7a113bee3 100644 --- a/doc/todo/comments.mdwn +++ b/doc/todo/comments.mdwn @@ -10,15 +10,56 @@ > it's hard enough to get some people to title their blog posts :-) > --[[smcv]] -* If a spammer posts a comment, it is either impossible or hard to clean - up via the web. Would be nice to have some kind of link on the comment - that allows trusted users to remove it (using the remove plugin of - course). +## Won't fix - > Won't the remove plugin refuse to remove internal pages? This would be - > a good feature to have, though. --[[smcv]] +* Because IkiWiki generates static HTML, we can't have a form inlined in + page.tmpl where the user fills in an entire comment and can submit it in + a single button-press, without being vulnerable to cross-site request forgery. + So I'll put this in as wontfix. --[[smcv]] + + > Surely there's a way around that? + > A web 2.0 way comes to mind: The user clicks on a link + > to open the comment post form. While the nasty web 2.0 javascript :) + > is manipulating the page to add the form to it, it looks at the cookie + > and uses that to insert a sid field. + > + > Or, it could have a mandatory preview page and do the CSRF check then. + > --[[Joey]] + +* It would be useful to have a pagespec that always matches all comments on + pages matching a glob. Something like `comment(blog/*)`. + Perhaps postcomment could also be folded into this? Then the pagespec + would match both existing comments, as well as new comments that are + being posted. + + > Please see [[plugins/comments/discussion]]. If I've convinced you that + > internal pages are the way forward, then sure, we can do that, because + > people who can comment still won't be able to edit others' comments + > (one of my goals is that commenters can't put words into each other's + > mouths :-) ) + > + > On the other hand, if you still want me to switch this plugin to "real" + > pages, or if internal pages might become editable in future, then + > configuring lockedit/anonok so a user X can add comments to blog pages + > would also let X edit/delete comments on blog pages (including those + > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]] -## Patches pending merge + > I had a look at implementing comment() and fell afoul of + > some optimisations that assume only internal() will be used to match + > internal pages. So probably this isn't worth doing. --[[Joey]] + +## Done + +* There is some common code cargo-culted from other plugins (notably inline and editpage) which + should probably be shared + + > Actually, there's less of this now than there used to be - a lot of simple + > things that were shared have become unshareable as they became more + > complex. --[[smcv]] + + > There's still goto. You have a branch for that. --[[Joey]] + + >> Now merged --[[smcv]] * The default template should have a (?) icon next to unauthenticated users (with the IP address as title) and an OpenID icon next to OpenIDs @@ -64,43 +105,12 @@ > and c42f174e fix another `beautify_urlpath` bug and add a regression test > --[[smcv]] + * Now that inline has some comments-specific functionality anyway, it would be good to output `` in Atom and the equivalent in RSS. > Fixed in my comments branch by d0d598e4, 3feebe31, 9e5f504e --[[smcv]] -## Won't fix - -* There is some common code cargo-culted from other plugins (notably inline and editpage) which - should probably be shared - - > Actually, there's less of this now than there used to be - a lot of simple - > things that were shared have become unshareable as they became more - > complex. --[[smcv]] - -* It would be useful to have a pagespec that always matches all comments on - pages matching a glob. Something like `comment(blog/*)`. - Perhaps postcomment could also be folded into this? Then the pagespec - would match both existing comments, as well as new comments that are - being posted. - - > Please see [[plugins/comments/discussion]]. If I've convinced you that - > internal pages are the way forward, then sure, we can do that, because - > people who can comment still won't be able to edit others' comments - > (one of my goals is that commenters can't put words into each other's - > mouths :-) ) - > - > On the other hand, if you still want me to switch this plugin to "real" - > pages, or if internal pages might become editable in future, then - > configuring lockedit/anonok so a user X can add comments to blog pages - > would also let X edit/delete comments on blog pages (including those - > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]] - - > I had a look at implementing comment() and fell afoul of - > some optimisations that assume only internal() will be used to match - > internal pages. So probably this isn't worth doing. --[[Joey]] - -## Done * Add `COMMENTOPENID`: the authenticated/verified user name, if and only if it was an OpenID @@ -139,3 +149,22 @@ first. --[[smcv]] > done --[[Joey]] + +* If a spammer posts a comment, it is either impossible or hard to clean + up via the web. Would be nice to have some kind of link on the comment + that allows trusted users to remove it (using the remove plugin of + course). + + > Won't the remove plugin refuse to remove internal pages? This would be + > a good feature to have, though. --[[smcv]] + + > Here, FWIW, is the first ikiwiki comment spam I've seen: + > + > So that took about 10 days... + > --[[Joey]] + + >> Implemented in my 'comments' branch, please review. It turns out + >> [[plugins/remove]] is happy to remove internal pages, so it was quite + >> easy to do. --[[smcv]] + + >>> done --[[Joey]]