[wp-hackers] Ideas for new features. (3.x?)
chrome at stupendous.net
Tue Feb 7 04:15:39 GMT 2006
I'm new to this list, so I hope people can excuse my boldness.
I've been giving some thought to what I would like out of a blogging
tool. A few things stand out in my mind, some as a system engineer
who would like to integrate Wordpress into a hosted environment for
his users, and some as a user.
1. Securely editable templates.
Some of the approaches to this have been to allow only CSS files to
be uploaded/edited - but there are some problems with this security
wise. Other approaches are to allow .php files to be uploaded/edited
but have a list of PHP functions that may be used and reject the
template if anything else appears.
Personally, I don't like either of these approaches. I think that
using Smarty makes a lot more sense, as it completely separates logic
away from template design with the secure mode enabled.
So I would like to see Wordpress move away from having php code
directly in the templates, and all of the HTML code move outside of
the PHP into the templates. I humbly suggest hunting down all
and moving them into smarty templates.
With the right variables being fed into each template, one could
offer the template designer a huge amount of power in terms of what
is displayed on each page, without having to expose any code to him.
2. Cross-authenticated comments and trackbacks.
Hoo boy. This is something I've been thinking about for a while, to
try and fix some aspects of the comment spam/traceback spam issue.
None of the methods currently in use are particularly ideal, and
something that doesn't exist in the core doesn't get used by most
blogs - most of the blogs out there are clean installs with no
plugins (or maybe a couple).
What do I mean by 'cross-authentication'?
Well, let me describe from a user point of view.
Step 1: An external (ie, he is not registered to your blog) user
views your blog. He wants to make a comment. He types his comment
into your comments page, puts in his username (on HIS blog) in the
name field, and puts the URL to HIS blog in the Website: field.
Step 2: He presses Submit. Wordpress stores the comment in the
comments DB and redirects to the remote user's blog's URL + something
Step 3: The remote user's blog connects to YOUR blog via verify-
post.php and grabs the comment (via XML, whatever).
Step 4: It then checks the remote user's cookies, and if he's logged
in as the user specified in the username field, it creates a
cryptographic hash (MD5 maybe) consisting of the post text, the user
name and a secret key (not the password). It stores this in the
database locally in case any comment needs to be reverified. If the
user is NOT logged in, present a login form, let the guy
authenticate, and then continue as if he was.
Step 5: Remote blog pushes back to YOUR blog this hash with a token
of "approved" or something like that.
Step 6: Your blog marks the comment as "verified" and stores the hash
in case this comment needs to be re-verified in the future.
Step 7: Remote blog redirects user back to your comments page, which
then can be configured to display the comment without moderation.
This all could be done with AJAX maybe? Not sure how AJAX works but
if I understand the gist of it, the redirect between the two sites
could be done transparently to the user, except in the case that the
user didn't have a valid cookie for his site.
This methodology could be applied to trackbacks as well, but
transparently to the user so that the blog receiving the tackback
ping can check with the originating blog that it sent the ping. (Does
this happen already? I don't know how trackbacks work under the hood).
What does this buy us?
A distributed authentication system, which allows anyone who has a
blog that implements this system to comment onto anyone else's blog
that implements this system without fear that they can be
impersonated, or their comments modified by the site owners. (A
'verify this comment' button can be on the page, which redirects to
the commenter's site which then displays a "this comment is verified
as authentic" message along with the comment text)
If I am an impersonator and try to post as you on my blog, if my blog
implements this code it will check back with your blog and I won't be
able to log in and authenticate.
I can hack my blog to skip that step, and "pretend" to request
authorisation for comments, but that would be easily detectable by
anyone who wanted to check, because they can just click 'verify this
The other thing it buys us is that spammers have to set up a working
blog for them to be able to comment on our blog - suddenly the cost
of comment spam goes up. And on our side, we can just do blanket
"Disallow comments from this url" or even allow regexs so if the
spammer uses a predictable blogname, we can block all instances of
it. Or just go and post on HIS blog and call him names. Whatever :)
Admittedly, I haven't thought about this too hard yet, and I don't
know if it would work, but I'd like people's feedback on it - there
are probably other ways to achieve the same thing, and probably other
benefits and drawbacks, so it would be nice to know them.
"Show me the code!"
I'm working on code as a proof of concept, but its not a part of
wordpress yet as I was getting a headache trying to decypher how
wordpress works internally and its easier for me to just write a
proof-of-concept blog tool and demonstrate that, and have someone
else come along and get it working in WP.
Um, thats it! Just two for now. Maybe more later. This mail got too
On Feb 7, 2006, at 5:09 AM, Matt Mullenweg wrote:
> The last thread about the next version of WP had some interesting
> ideas in it, but I think the question may have been framed the
> wrong way. What I'm far more interested in working on for the next
> version is this:
> How can we make WordPress simpler in the next release?
> How can we reduce support requests on the forums?
> How can we make it faster?
> (To riff on an idea, consider starting a new thread.)
> Matt Mullenweg
> http://photomatt.net | http://wordpress.org
> http://automattic.com | http://akismet.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers