[wp-hackers] "commenter" user role

Mike Schinkel mikeschinkel at newclarity.net
Sat Mar 6 23:38:00 UTC 2010 

On Mar 6, 2010, at 5:02 PM, Hikari wrote:
> My concern is regarding a wp-users row, which needs just a role change to become admin. Without a password it may become more secure 
> or less secure depending on how it's implemented, but I'd really not like wp-users rows being created as a result of a comment. Not 
> worthy the security risk.

The security risk can be minimized to near zero if more than role are tested for escalation of privilege.  Safeguards can be put in place, like if password is blank they can't login within explicit escalation.  A can_login field could be set to know.  

Basically I agree anything can be potentially insecure but if that's the case then everything in WordPress is a security risk. Build in several checks and then the likelihood of all having a bug in then are near zero.

If you say a hacker can get access to the database and add a password and add a can_login value then I'll say a hacker can add themselves a row in the user table. There is really no significant difference between the security hole for the two.  

> | Sure, but then you don't get said pages nicely themed with the off-the-shelf themes most people are using these days.
> 
> just hook a filter to comment_author_link and no theme will need to be changed

That's apples and oranges.  Most themers don't think in terms of a visual display relevant to a commenter. Hooking author doesn't change that.  Adding commenters into the wp_users table would.  Read more below about the progression of a commenter to an editor and why this is a valuable idea.
> 
> also don't expect theme authors, with all the love they receive, to be happy if core requires them to change their outdated themes 
> to support this feature :p

This change would *require* it, it would *enable* the better theme makers to differentiate themselves.
> 
> | You are not listening...  I have not suggested that anyone be required to register in order to be able to comment (that'd be 
> foolish, in most cases.)
> 
> I've just read somebody saying that this feature is only for people that is already forcing registration to allow commenting, and 
> somebody else agreed o.O

I think that person who agreed was not in favor of this option.  It would be like telling me another Republican didn't think Obama's health care plan was a good idea.

> But I also read in the begining of the talk that the objective was to reduce database size on avoiding duplicates in wp-comments, 

> which turned back to duplicates using metadata to store multiple different data for the same person, and I pointed out that moving 
> commentators data to wp-users on a site with a lot of commentators that make only 1 comment would increase database size indeed, and 
> this size is insignificant anyway :p

And I'm saying that's the least valuable reason to consider this. :-p backatcha.

> | Maybe; that would be up for discussion.  I was just proposing it for the idea and if adopted the community would figure it out.
> 
> "2 posts are logged in ATM, they are on themselves posts", that would be funny to read :D

That's a non-sequitor. Clearly it would be stupid to implement this and leave old logic in plan that would display such a comment

> No parallel records. Everything wp-users and user metadata stores will remain there, and postmeta will store everything else :)

One of us misunderstands. I was proposing to consider using wp_posts with a post_type of 'user' instead of wp_users. In the case where we keep wp_users and also created a record of wp_posts with a post_type of 'user', they are parallel.  It seems a binary option; how is it not?

> but I'd still prefere a wp-commentators table, I've already disabled revisions and drafts to not just posts ID
> 
> a new table is not the end of the world, my site has 38, and if we considers the risks of having simple commentators lying on 
> wp-users, a table to store them is the next logical idea

We clearly both have different preferences and they are irrelevant.  What's important is to judge what each architect would enable on their respective merits. 

I'm not arguing against a new table, I'm arguing against using a new table where an existing table would offer many of the features immediately that people would want to later add duplicating functionality for.  I'm also arguing for a table that many plugins support enhancements for with minor mods vs. your new table would be starting from scratch with plugin support.

> Wait, if these high traffic sites are already letting users login, for sure they'll want commentators stored in wp-users. But if 
> they aren't, they won't like it.

So if it's not yes, it's no?   Your point is?

> And high traffic sites can still be administrated by security noobs that will only want the feature working and only bother with 
> hacking after their high traffic sites are not high traffic anymore.

Not existing high traffic sites.  So ask them what they care about.  If it works for them then they will already have addressed your concern for the noobs you speak of.

BTW, what exactly are you saying about what's being proposed her would actually slow a site down in any meaningful way?  What are you really afraid of here?  In general we are talking architecture and you argue with feature set.

> I still don't get why commentators should be stored in wp-users at all.
> If it's just to store their data, a new table can solve it. 
> If they won't be required to create account and deal with it, a new table can solve it. But if they will have an account, or if a 
> new feature will handle with current users too, than just use wp-users and leave it in a plugin.

Because, put simply commenters (not commentators) are people. Storing people in many different tables ultimately causes a whole host of problems and forces a painful merge process in the future as the reality that people can have many roles becomes apparent.  Better to recognize that problem early on and address it now rather than have to go through the pain later.

BTW, I went through that painful merge process with people at customer sites and people who worked at my vendors early last decade and my database was well over 250,000 people.  I not trying to discredit your experience in any way but I would like to ask this: Have you ever dealt with a large scale database of people in a context where maintaining the database was critical to the health of an organization?  

It seems easy to just create another table because they seem different today but if a system evolves as WordPress clearly has been and appears as it will continue, issues like these never stay that easy.

> | > Currently registered users? Add a field to wp-commentators that FK wp-users, or simply the plugin uses wp-users and gets the
> | > responsibility for it.
> |
> | Adding a wp_commenters table would not be smart.  That reminds me of QuickBooks with separate Vendors and Customers which is truly 
> a nightmare when your vendors are also your customers (which is exactly how a business I ran for 12 years operated.)  Having 
> multiple tables for people is just a bad idea, period.  I have too much painful experience to ever want to go through that again 
> without putting up a serious fight.
> 
> But we are not talking about e-commerce here...

I'm not talking e-commerce either, I'm talking database design. I gave one example I lived through but there are many more examples that are not ecommerce such a forum users vs. forum moderators, sports team members and their fans, people on Facebook, people on Twitter; the list is endless. 

People are people, indivisible.  Don't segment people and put them in multiple tables. Period. It never works well long term.

> But wp-users is too powerful, detailed and risky *if* all we need is 
> take 3 fields out of wp-comments and add a FK field to it.

Oooh, so now people in wp_users are *magic*! ;-p

> Only if new features are developed that require more user interaction than simply commenting, and that would require them to 
> register, that wp-users would be worth it.

Alright, so you agree. ;-)

Seriously, there are tens if not hundreds of "fields" to add about commenters; we should enable plugins to do in a standard way, i.e.

-- Twitter name
-- Facebook URL
-- LinkedIn URL
-- Company Name
-- Company URL
-- Bio
-- (need I go on?)

These are things that will enable gradual engagement and are things that plugins are perfect for. Let's give them a standard way to grow.

> But some ppl wanna automatically add rows to wp-users without giving them passwords and letting them login. For this need, wp-users 
> is not a good place to store commentators, because even though they are already people, their usage differ a lot from registered 
> users.

You are just making assertions without any evidence. Nothing you said there discredits storing them in the wp_users table with a role of 'commenter' (or in the wp_posts table as type 'user' and a taxonomy value of 'commenter.') 

> Again, would you create a user account to every visitor of your site? They are people too, and a stat plugin could use it...

Possibly, via a plugin. But I don't argue that is needed in the core, it's too hard to identify a unique user in that manner.  But when someone comments and gives an email, that's an entirely different matter; they are engaged and they are significant to the site owner (or should be.)

OTOH, having a system that tracks users by cookie and then assigns their history if and when they login is very intriguing... (we did that with custom code on our website.)  There are companies that charge lots of money for this; having it built into core would be nice indeed.  But that's a discussion for a day well into the future.

> | > | With better tools to enable and encourage comments (which this could be the base of), there might be
> | > | fewer one time commenters...
> 
> See? Which new features would these be?

There are hundreds of ideas. Basically, these are up to a site owner to figure out for their site, basically their marketing plan.  But here are a few:

-- Having a page that lists their comments, for one.  
-- Emailing them after a comment asking them to fill out a profile (this would be plugin territory.)  
-- Ask them to give you their Twitter account so your site could follow them and display their latest tweet.
-- Given them reasons to find your site when they egosurf, and learn what they like and offer them content.

> Commenting is *not* something that justify using wp-users.

Saying it without justification isn't a valid argument against.

> | Then you are not doing a very good job of creating a loyal readership,
> | you are just being SEO opportunistic, not a great long term strategy
> | as content farms work to capture more and more SEO traffic (see
> | http://www.readwriteweb.com/archives/content_farms_impact.php)
> 
> well I'm not specialist on this subject, and I myself only go back to 2 or 3 sites often.

But you have opinions as if you were one, no?  ;-)

> Most Wordpress sites are not forums, 

> and most ppl don't read large texts.

Those are non-sequitors and not relevant to the argument.  If it were, why should we allow comments on blogs, and why should people blog at all?

> As I said before, there are ppl like multiply.com users that create account for commenting and start blogging after it. I hardly 
> would create account on an unknown site just for comment on it.

Please can we just stop with the "I don't want to create an account to have to start commenting" already?  That's not on the table. Full stop.

> Will you say that most Wordpress users have high traffic and loyable commenters?

Without a statically accurate survey anything I say would be supposition.  I assume it follows the long tail meaning that most sites do not have high traffic and loyal commenters, but my assumptions are not important. 

Also, I know anecdotally of some sites with fiercely loyal commenters with lots of comments, for example http://www.avc.com/  (he uses Disqus, btw.) Unfortunately when I read his comments I don't get the opportunity to click through to a page about the commenter to learn more about them.  I'm certain on his site that the people who comment on practically every post would be very happy to create a full profile there as they see themselves as part of a community. I can also imagine tens of thousands of other sites in their respective communities that have the same loyal commenters.

Now if we put them commenters and wp_commenters and "the blessed few" in wp_users, let's look at the transition we see in new commenters to blessed few (note, this is mostly a continuum, not all discrete steps):

new commenter -> 
repeat commenter -> 
profile updater -> 
active commenter -> 
profile showcaser -> 
guest poster -> 
frequent author -> 
guest editor -> 
site co-owner

So when does someone move from being a commenter and to being a user, huh?  Do we create two templates, one for the commenter and the other for user?  Or, like Facebook, do we create one that morphs depending on the person?

There is no such thing as commenters and users; there are just people.  People and their information, their actions, and other's actions related to them. Creating an arbitrary distinction between the two is self defeating.

> I have a few BTW.

Good for you. With better engagement tools you could have more.
> 
> Note Wordpress is a CMS, not  a traffic saver. What keeps ppl coming is the content.

Sheesh.  I'm so tired of people "defining" what WordPress is and what it isn't.  It's like the "WordPress is not a CMS" debate yet that's how many people in business are using it (and now with custom post types, they really can; YES!)

WordPress can be whatever people want it to be, and can evolve to serve the needs of those currently using it.  Many people currently using it have lots of commenters and I'll bet whatever you want that giving them an architecture to build on for driving engagement would be something they'd really like.

BTW, I'm sure some people are thinking about BuddyPress while reading this.  Well, just like WPMU, shouldn't base functionality be in core and UI be in the plugins?  Allowing commenters to be in wp_users provides that base functionality.

> With only active users having account, their password would need to be hacked to hack the site.

If security is your only concern then I suggest you host your websites on a computer than is not connected to any network. That's the only way to keep them from getting hacked.

OTOH, if you see that as silly (as it is) then let's look at how to ensure that this won't increase the hackable footprint instead of letting fear of something that can be risk managed stop progress.

> Could you copy here the 2.9.2 launching text?

Huh?  You talking about this?  http://tmacuk.co.uk/?p=180
If yes, note that it required a user to be logged in.  As proposed a commenter would not be able to login unless explicitly allowed by the site owner.

> hackers don't use normal UIs...

Sigh.  I give up debating with you.  Your mind is made up, any evidence I present you just ignore and continue to bring up things that have already been addressed.

No more discussions with you on this topic. 

-Mike

More information about the wp-hackers mailing list