[wp-hackers] "commenter" user role

Mike Schinkel mikeschinkel at newclarity.net
Sat Mar 6 01:11:09 UTC 2010

On Fri, Mar 5, 2010 at 11:29 PM, John O'Nolan <john.wp at onolan.org> wrote:
> I like the idea - but unsure of email notifications, I for example
> frequently leave comments with the same email but with different names,
> either John, JohnONolan, or John O'Nolan - I (personally) would find it
> annoying if this triggered notification/verification emails.

Just curious, but why would you/is it important to be able to leave comments with different names?  Seems weird behavior to me, but maybe I just don't understand the rationale.

On Mar 5, 2010, at 4:39 PM, scribu wrote:
> On Fri, Mar 5, 2010 at 11:20 PM, Stephanie Leary <steph at sillybean.net>wrote:
>> Wouldn't that be a subscriber, essentially? It would just be a matter of
>> creating the user when they comment.
> In terms of capabilities, yeah, it would be identical to a subscriber. It
> remains to be seen if there are any technical reasons for adding a separate
> role.
On Mar 5, 2010, at 5:53 PM, Aaron Jorbin wrote:
> 1:  A number of the security holes over the history of wordpress are
> user escalation issues.  By registering everyone who ever leaves a
> comment, you are opening up a number of sites to these.  While keeping
> an up to date installation is obviously the best route,  restricting
> registration is not a bad policy.  

Almost all related security concerns can be addressed by giving people with a role of commenters no login rights unless the admin has enabled creation of user accounts (actually, the rights should be changed to "allow commenters to login.")

> Would you allow anyone to walk up
> to your home computer and create an account?

Sure, if the default account gave them no rights other than to login to a highly restricted sandbox.

> 2.  This would be a pretty big change.  Up until now you had to
> explicitly allow open registration.  What you're proposing is removing
> that option from site admins.  I don't think the core should remove or
> restrict options.

Nope, you are assuming one change without other correspondingly intelligent yet simple changes. See above.

On Mar 5, 2010, at 5:44 PM, Otto wrote:
> Commenters aren't users, they're commenters. They read it and they
> leave comments. Whether their user data is real or not is irrelevant,
> as I see it.

What is a "user", really?  Isn't a user merely a human that interacts with the site?  Any other definition is merely one person's individual preference.

The wp_users table is the perfect place to keep track of all humans that interact with a site and/or that the site needs to track (i.e. "actor"s in a "movie", "player"s on a sports "team", etc.)  Commenters as users make perfect sense.  It opens up the ability to have pages for each commenter showing the posts they've commented on, and more.

All else that would be needed would be to create an optional automatically generated and related record in wp_posts.  Or (godforbid!) deprecate wp_users and move users to wp_posts of post_type "user" (he says as he braces for the howls of disapproval...)   

Honestly, having the ability to have a person categorized and tagged would solve real worlds needs for most sites I've been involved with. One major site that I developed was a NASCAR sponsorship site for a local Fortune 100 company.  Had users been in wp_posts of type "user" (or better,  "person") then each team member could have easily had their name, bios, "fun facts" using custom fields such as favorite food, favorite TV show, first car, etc. and tagged with various attributes like "driver", "pitcrew", "manager", "enginetuner", etc. Having "people" as accessible as "posts", "pages" and other custom data types would open up WordPress' usefulness even more.

On Mar 5, 2010, at 6:18 PM, Aaron Jorbin wrote:
> What about a site that gets 100 comments per post, and 20% are one
> time commenters?  After 50 posts, there are now over 1k users.  And I
> think it would take at least two fields.  Both nicename and
> capabilities.

Modern database systems like MySQL are surprisingly adept at handling 1000 records.  Actually they don't generally have a problem until 3 or 4 orders of magnitude records beyond that.

> That's a vastly different migration, as it didn't really affect users.
> While developers and power users would know what's going on, what
> about when Grandma goes to comment on the latest picture of little
> Matty and enters Grandma Bettie instead of Grandma B that she
> previously used.  We've just now added an extra step for a user who
> should have a very simple experience.

Grandma Bettie can just pound sand.  

Okay, just kidding. ;-)  Seriously though, I don't see why you'd even need to notify Mrs. Bettie of anything.  If she changes her name after the first comment just store than alternate name in post_meta; same with any other comment fields.  You could also provide a popup that asks if Grandma wants to replace her old name with the new name and only send the email if he says yes.

If Grandma can type a comment in a post box she can handle a dialog that points how she has been inconsistent and asks her what to do. Or we can simply put up with the inconsistency by storing it in post_meta.

On Mar 5, 2010, at 6:30 PM, Brian Layman wrote:
> With the trends for linked social communities being what they are and
> with remembered social app auth needs, the desire for registered users
> is going to go up. 


I bet if you can survey the top 25 high traffic blogs on WordPress that haven't already implemented similar custom user/commenter functionality most would prefer commenters be recorded as users because of the additional user engagement opportunities that would provide them.


More information about the wp-hackers mailing list