[wp-hackers] "commenter" user role

scribu scribu at gmail.com
Fri Mar 5 23:04:35 UTC 2010

On Sat, Mar 6, 2010 at 12:53 AM, Aaron Jorbin <aaron at jorb.in> wrote:

> I disagree with you on both regards.
> 1:  A number of the security holes over the history of wordpress are
> user escalation issues.  By registering everyone who ever leaves a
> comment, you are opening up a number of sites to these.  While keeping
> an up to date installation is obviously the best route,  restricting
> registration is not a bad policy.  Would you allow anyone to walk up
> to your home computer and create an account?
> 2.  This would be a pretty big change.  Up until now you had to
> explicitly allow open registration.  What you're proposing is removing
> that option from site admins.  I don't think the core should remove or
> restrict options.

Ok, valid point about security.

> 3.  I'm not convinced that this improves the database structure.  It
> has the potential to vastly grow the user and user_meta fields.

No, not vastly, since repeat commenters would get a single user, with no
usermeta fields, except the one for capabilities.

> how do you intend to handle the issue of sites that already have
> thousands of comments?  I for one wouldn't appreciate waking up to the
> day after 3.1 (or whenever this got implemented) is released to an
> e-mail from every site that I've commented on with a user account.

Of course previous commenters wouldn't receive welcome emails.

Just as WordPress was able to transition from posts2cats for example, it
should be possible to migrate commenters to the wp_users table.


More information about the wp-hackers mailing list