[wp-hackers] "commenter" user role
scribu
scribu at gmail.com
Fri Mar 5 23:04:35 UTC 2010
On Sat, Mar 6, 2010 at 12:53 AM, Aaron Jorbin <aaron at jorb.in> wrote:
> I disagree with you on both regards.
>
> 1: A number of the security holes over the history of wordpress are
> user escalation issues. By registering everyone who ever leaves a
> comment, you are opening up a number of sites to these. While keeping
> an up to date installation is obviously the best route, restricting
> registration is not a bad policy. Would you allow anyone to walk up
> to your home computer and create an account?
>
> 2. This would be a pretty big change. Up until now you had to
> explicitly allow open registration. What you're proposing is removing
> that option from site admins. I don't think the core should remove or
> restrict options.
>
Ok, valid point about security.
> 3. I'm not convinced that this improves the database structure. It
> has the potential to vastly grow the user and user_meta fields.
No, not vastly, since repeat commenters would get a single user, with no
usermeta fields, except the one for capabilities.
Also,
> how do you intend to handle the issue of sites that already have
> thousands of comments? I for one wouldn't appreciate waking up to the
> day after 3.1 (or whenever this got implemented) is released to an
> e-mail from every site that I've commented on with a user account.
>
Of course previous commenters wouldn't receive welcome emails.
Just as WordPress was able to transition from posts2cats for example, it
should be possible to migrate commenters to the wp_users table.
--
http://scribu.net
More information about the wp-hackers
mailing list