[wp-hackers] "commenter" user role

Hikari lists at hikarinet.info
Sat Mar 6 22:48:40 UTC 2010



----- Original Message ----- 
From: "scribu" <scribu at gmail.com>
Sent: Saturday, 06 March, 2010 1:15 PM


| On Sat, Mar 6, 2010 at 5:56 PM, Dougal Campbell <dougal at gunters.org> wrote:
|
| >  * It's a security concern:
|
| What this implies is that all sites that have user registration open are
| insecure.

Exactally.

They are less secure than sites that have strictier control over users account. And they should be more worried about security 
measures and definitily put as top priority the application of updates as soon as they are available.
Or have a very fast and efficient backup & restore solution :P


| >  * It complicates the ability to support Anonymous commenters.
| >
|
| Please explain.

Depending on how these features are implemented, they will force commentators to register accounts, OR automatically create accounts 
for them.

So, they are not anonymous anymore :)


| We could automatically remove commenters when they have no more comments on
| the site. Problem solved.

You mean, delete these comments?

Because it's my undertanding that if some comment data are attached to users data, we can't delete those users without deleting 
their comments, or turning them anonymous.


It really concerns me the fact that comment spammers will get wp-users accounts on my site................

And don't say it's simply a matter of deleting those comments and users together, until they are deleted your whole site can be 
deleted already...



| Just to clarify: open user registration would *not* be required for the
| "commenter" role proposal to function.

But there would be *users* being registered. Do you think hackers need a password, or that they use normal login passages, to get 
access?...



Again, this is a security concern. Ponder yourselves if these features you want, justify the increased code to be debugged and 
maintained regarding security.

Since wp-users is related to access permissions, is it possible to implement these features without bloating it? Is it possible to 
develop these features in a way they are kept 100% separated from security concerned codes, instead of becoming part of those codes?


If all you want is take 3 wp-comments fields and move them to a separated table, and use this table to implement more features, why 
does it *need* to be wp-users? Is it really reaquired or is it just for convenience matters? Can't a new table do it?




And, if you are letting commentators fill data that may be changed later, you must let they login to change it. If they can login, 
they have a password, and they may be mailed to confirm, reset, etc.

If you wanna add rows in wp-users with "users" data that once created can't be changed by these "users" anymore, then this data 
should definitily go to anywhere else other than wp-users.

If all you need is a user table and a usermeta table, to be linked to comments and new feature you wanna develop, just create 2 
extra tabled and link them with a custom field in wp-comments or with comment metas.



| There could be an "Annonymous" commenter account that would allow annonymous
| comments.

and  his surname would be "Hacker" :D

can I suggest a password for him or would it just be blank? :DD



| Tons of crap, such as? Please be specific.

my name in a site I don't wanna have a user account is such a crap



| It shouldn't be linked to that option. As I said previously, unlike
| subscribers, commenter accounts with no comments would be automatically
| deleted.

And if a commentator wants to change the data he filled before, how will he do it?

Because if you want him to come back, you must let him keep his data updated. Or be prepared for angry ppl complaining they can't do 
it.

Now, if he won't come back... he doesn't need a user account at all, even one that has no permition to do anything. That account 
would be... crap!



---------------------------
Hikari -  A Luz ilumina a PAZ
http://Hikari.ws
http://ConscienciaPlanetaria.com

Tenha seu próprio email meunome @ ConscienciaPlanetaria.com.br!: http://seunome.ConscienciaPlanetaria.com.br 



More information about the wp-hackers mailing list