[wp-trac] [WordPress Trac] #60693: "Previously approved comment" for logged out users bug
WordPress Trac
noreply at wordpress.org
Wed Mar 6 01:30:05 UTC 2024
#60693: "Previously approved comment" for logged out users bug
--------------------------+------------------------------
Reporter: jmorti | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 6.4.3
Severity: normal | Resolution:
Keywords: 2nd-opinion | Focuses:
--------------------------+------------------------------
Changes (by knutsp):
* keywords: => 2nd-opinion
Comment:
This is the way it has always worked, and I see this as a feature, not a
bug. But annoying.
If the comment being made is from an email belonging to a registered user,
the search for earlier, approved comments is made by that found and
assumed user-ID, not by the email.
If WP was to search for comments by email regardless of successfully
looking it up as a registered user, it will be too easy (for spammers) to
impersonate that user to avoid moderation. While the emails of visiting
commenters are not public, the emails of registered users may be listed
publicly, or at least somewhat guessable on some sites.
A change to ''forcing'' registered user to log in before commenting, based
on the given email, would also not be safe enough, is this may definitely
confirm a specific email belongs to a registered user.
My workaroud is to advice registered users to keep their browsing local
device (computer) account (User Agent) secure and self locking **and** to
stay logged in on normal web apps like WP sites, ''or'' always simply log
in before commenting on WP.
Some users have learned to log out of any system after a session, at least
on desktops, but tend to trust the device security when using native
mobile apps. Immediately logging out is either forced, or at least fine,
for high risk or sensitive data systems, or when among people one should
not trust. For most uses, staying logged in for two weeks (remember me),
and using multi factor authentication, is the best compromise between
security and usability, IMHO.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/60693#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list