X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/9bee6db8c604efd705d6d808fca3194eb4873cf4..7e0d4b422d97a7c8cdb196e86df9869d2cbf88be:/doc/todo/comments.mdwn

diff --git a/doc/todo/comments.mdwn b/doc/todo/comments.mdwn
index a2c1deeb3..7a113bee3 100644
--- a/doc/todo/comments.mdwn
+++ b/doc/todo/comments.mdwn
@@ -10,15 +10,56 @@
   > it's hard enough to get some people to title their blog posts :-)
   > --[[smcv]]
 
-* If a spammer posts a comment, it is either impossible or hard to clean
-  up via the web. Would be nice to have some kind of link on the comment
-  that allows trusted users to remove it (using the remove plugin of
-  course).
+## Won't fix
 
-  > Won't the remove plugin refuse to remove internal pages? This would be
-  > a good feature to have, though. --[[smcv]]
+* Because IkiWiki generates static HTML, we can't have a form inlined in
+  page.tmpl where the user fills in an entire comment and can submit it in
+  a single button-press, without being vulnerable to cross-site request forgery.
+  So I'll put this in as wontfix. --[[smcv]]
+
+  > Surely there's a way around that?
+  > A web 2.0 way comes to mind: The user clicks on a link
+  > to open the comment post form. While the nasty web 2.0 javascript :)
+  > is manipulating the page to add the form to it, it looks at the cookie
+  > and uses that to insert a sid field.
+  > 
+  > Or, it could have a mandatory preview page and do the CSRF check then.
+  > --[[Joey]]
+
+* It would be useful to have a pagespec that always matches all comments on
+  pages matching a glob. Something like `comment(blog/*)`.
+  Perhaps postcomment could also be folded into this? Then the pagespec
+  would match both existing comments, as well as new comments that are
+  being posted.
+
+  > Please see [[plugins/comments/discussion]]. If I've convinced you that
+  > internal pages are the way forward, then sure, we can do that, because
+  > people who can comment still won't be able to edit others' comments
+  > (one of my goals is that commenters can't put words into each other's
+  > mouths :-) )
+  >
+  > On the other hand, if you still want me to switch this plugin to "real"
+  > pages, or if internal pages might become editable in future, then
+  > configuring lockedit/anonok so a user X can add comments to blog pages
+  > would also let X edit/delete comments on blog pages (including those
+  > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]]
 
-## Patches pending merge
+  > I had a look at implementing comment() and fell afoul of
+  > some optimisations that assume only internal() will be used to match
+  > internal pages. So probably this isn't worth doing. --[[Joey]]
+
+## Done
+
+* There is some common code cargo-culted from other plugins (notably inline and editpage) which
+  should probably be shared
+
+  > Actually, there's less of this now than there used to be - a lot of simple
+  > things that were shared have become unshareable as they became more
+  > complex. --[[smcv]]
+
+  > There's still goto. You have a branch for that. --[[Joey]] 
+
+  >> Now merged --[[smcv]]
 
 * The default template should have a (?) icon next to unauthenticated users (with the IP address
   as title) and an OpenID icon next to OpenIDs
@@ -64,43 +105,12 @@
   > and c42f174e fix another `beautify_urlpath` bug and add a regression test
   > --[[smcv]]
 
+
 * Now that inline has some comments-specific functionality anyway, it would
   be good to output `<link rel="comments">` in Atom and the equivalent in RSS.
 
   > Fixed in my comments branch by d0d598e4, 3feebe31, 9e5f504e --[[smcv]]
 
-## Won't fix
-
-* There is some common code cargo-culted from other plugins (notably inline and editpage) which
-  should probably be shared
-
-  > Actually, there's less of this now than there used to be - a lot of simple
-  > things that were shared have become unshareable as they became more
-  > complex. --[[smcv]]
-
-* It would be useful to have a pagespec that always matches all comments on
-  pages matching a glob. Something like `comment(blog/*)`.
-  Perhaps postcomment could also be folded into this? Then the pagespec
-  would match both existing comments, as well as new comments that are
-  being posted.
-
-  > Please see [[plugins/comments/discussion]]. If I've convinced you that
-  > internal pages are the way forward, then sure, we can do that, because
-  > people who can comment still won't be able to edit others' comments
-  > (one of my goals is that commenters can't put words into each other's
-  > mouths :-) )
-  >
-  > On the other hand, if you still want me to switch this plugin to "real"
-  > pages, or if internal pages might become editable in future, then
-  > configuring lockedit/anonok so a user X can add comments to blog pages
-  > would also let X edit/delete comments on blog pages (including those
-  > written by others) in arbitrary ways, which doesn't seem good. --[[smcv]]
-
-  > I had a look at implementing comment() and fell afoul of
-  > some optimisations that assume only internal() will be used to match
-  > internal pages. So probably this isn't worth doing. --[[Joey]]
-
-## Done
 
 * Add `COMMENTOPENID`: the authenticated/verified user name, if and only if it was an OpenID
 
@@ -139,3 +149,22 @@
   first. --[[smcv]]
 
   > done --[[Joey]]
+
+* If a spammer posts a comment, it is either impossible or hard to clean
+  up via the web. Would be nice to have some kind of link on the comment
+  that allows trusted users to remove it (using the remove plugin of
+  course).
+
+  > Won't the remove plugin refuse to remove internal pages? This would be
+  > a good feature to have, though. --[[smcv]]
+
+  > Here, FWIW, is the first ikiwiki comment spam I've seen:
+  > <http://waldeneffect.org/blog/Snake_bite_information/#blog/Snake_bite_information/comment_1>
+  > So that took about 10 days...
+  > --[[Joey]] 
+
+  >> Implemented in my 'comments' branch, please review. It turns out
+  >> [[plugins/remove]] is happy to remove internal pages, so it was quite
+  >> easy to do. --[[smcv]]
+
+  >>> done --[[Joey]] 
