[wp-hackers] OpenID vs wp-comments-post.php

matthias at netsensei.nl matthias at netsensei.nl
Sat Jun 23 14:06:57 GMT 2007


Recently I created a wordpress plugin for WP2.1: simple OpenID plugin.
What it does is act as a simple OpenID consumer for commenters using their
OpenID instead of entering their nickname or using a local WP account.


I got a beta released in May... it seemed to work with a little effort on
WP 2.1 but WP 2.2 seems to be a no go.

Description of the problem:

Whenever a commenter wishes to use his OpenID login, he/she gets a blank
page on wp-comments-post.php.


The OpenID protocol notes that consumer should redirect the user's user
agent (browser) to their respective OpenID provide (i.e. myopenid.com) for
authentication. The OpenID provider redirects them back to the consumer
script  they came from with a positive/negative authentication answer and
some additional data. Based upon the answer, the script can react
accordingly: logging in or - in this case - allowing a comment to be saved
in the WP database.


In 2.2 wp-comments-post.php doesn't allow GET requests anymore which
results in a blank page due to a security patch.

- http://comox.textdrive.com/pipermail/wp-hackers/2007-February/010722.html
- http://trac.wordpress.org/ticket/3797

The problem is that my OpenID plugin hooks on wp-comments-post.php. It
redirects the users to their OpenID provider. The provider then sends them
back to wp-comments-post.php with a GET request. Finally, the plugin gets
the user data from GET request and uses it to complete the comment before
storing it in the WP database.

So. There you have it. I acknowledge that using GET requests directly on
wp-comments-post.php is an open inivitation for spammers, but it closes a
lot of opportunities. I could hack around using some other script and the
'init' action hook in order to get GET requests to accepted, but that's
not really a good solution. Conversion of GET to POST before feeding to
wp-comments-post.php isn't a great solution either.

I wonder if someone has a good idea to get this working properly.

Oh, an unrelated problem: under WP 2.1, OpenID enabled comments posted
through my plugin where send to the spambin by askimet nonetheless.

Thanks in advance,

Matthias Vandermaesen

More information about the wp-hackers mailing list