Opened 13 years ago
Closed 7 years ago
#4039 closed enhancement (maybelater)
Blog comments link to a user's activity via the same email address, regardless of it being them or not
Reported by: | mdpane | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 1.5.4 |
Component: | Core | Keywords: | 2nd-opinion, trac-tidy-2018 |
Cc: | mdpane@… |
Description
Assuming blog comments are unmoderated:
- A user ‘test’ has an account with the email ‘test@…’
- Someone who isn’t logged in posts a blog comment with the email ‘test@…’
- A new item is added to the activity stream saying the user ‘test’ added this comment, since 'test' has that same email address.
So it's possible to spoof someone if you know their email address and get a blog comment posted to their activity stream, even if it may not actually be them.
Change History (9)
#2
@
13 years ago
- Keywords 2nd-opinion added
- Milestone changed from Awaiting Review to Future Release
Good observation, but I don't know if this is a feature or a bug. The same thing is true of the use of Gravatar.
The only thing I'd consider doing in BP is changing this around a little bit:
http://buddypress.trac.wordpress.org/browser/tags/1.5.4/bp-blogs/bp-blogs-functions.php#L238
Add a switch so that we first look for bp_loggedin_user_id() before doing a get_user_by( 'email' ) lookup, and add a filter so that the admin can prevent the get_user_by('email') lookup for non-logged-in members. That way admins can decide on a case-by-case basis whether to allow non-logged-in activity tracking.
Second opinion?
#3
follow-up:
↓ 5
@
13 years ago
I think if the user is logged out, and they have entered the same email as a registered member, we bounce them over to the log in page. It's a bit different from just use of the gravatar because if you have Activity active, it adds an item in that member's profile.
#4
@
13 years ago
Would it be possible to have an email sent to that comment's email address and have them approve it to be posted? Or should I look into a separate plugin for that?
#5
in reply to:
↑ 3
;
follow-up:
↓ 7
@
13 years ago
Replying to DJPaul:
I think if the user is logged out, and they have entered the same email as a registered member, we bounce them over to the log in page.
I assume you are making a suggestion here rather than a statement about what we currently do, correct? I think it's a better suggestion (easier to implement, at least) than mdpane's email notification suggestion. mdpane, if you explicitly want email verification, I think that's going to be plugin territory.
#6
@
13 years ago
Yes, you're correct and I found a plugin that can do just that until we implement DJPaul's suggestion.
#7
in reply to:
↑ 5
@
13 years ago
Replying to boonebgorges:
I assume you are making a suggestion here rather than a statement about what we currently do, correct? I think it's a better suggestion
Yep.
#8
@
7 years ago
- Keywords trac-tidy-2018 added
We're closing this ticket because it has not received any contribution or comments for at least two years. We have decided that it is better to close tickets that are good ideas, which have not gotten (or are unlikely to get) contributions, rather than keep things open indefinitely. This will help us share a more realistic roadmap for BuddyPress with you.
Everyone very much appreciates the time and effort that you spent sharing your idea with us. On behalf of the entire BuddyPress team, thank you.
If you feel strongly that this enhancement should still be added to BuddyPress, and you are able to contribute effort towards it, we encourage you to re-open the ticket, or start a discussion about it in our Slack channel. Please consider that time has proven that good ideas without contributions do not get built.
For more information, see https://bpdevel.wordpress.com/2018/01/21/our-awaiting-contributions-milestone-contains/
or find us on Slack, in the #buddypress channel: https://make.wordpress.org/chat/
Turns out, even if comments are moderated and you approve a pending comment with an email that’s linked to an existing user, it’ll show up on that user’s feed too.