Skip to:
Content

BuddyPress.org

Opened 12 years ago

Closed 6 years ago

#4039 closed enhancement (maybelater)

Blog comments link to a user's activity via the same email address, regardless of it being them or not

Reported by: mdpane's profile mdpane Owned by:
Milestone: Priority: normal
Severity: normal Version: 1.5.4
Component: Core Keywords: 2nd-opinion, trac-tidy-2018
Cc: mdpane@…

Description

Assuming blog comments are unmoderated:

  • A user ‘test’ has an account with the email ‘test@…’
  • Someone who isn’t logged in posts a blog comment with the email ‘test@…’
  • A new item is added to the activity stream saying the user ‘test’ added this comment, since 'test' has that same email address.

So it's possible to spoof someone if you know their email address and get a blog comment posted to their activity stream, even if it may not actually be them.

Change History (9)

#1 @mdpane
12 years ago

Turns out, even if comments are moderated and you approve a pending comment with an email that’s linked to an existing user, it’ll show up on that user’s feed too.

#2 @boonebgorges
12 years ago

  • Keywords 2nd-opinion added
  • Milestone changed from Awaiting Review to Future Release

Good observation, but I don't know if this is a feature or a bug. The same thing is true of the use of Gravatar.

The only thing I'd consider doing in BP is changing this around a little bit:
http://buddypress.trac.wordpress.org/browser/tags/1.5.4/bp-blogs/bp-blogs-functions.php#L238
Add a switch so that we first look for bp_loggedin_user_id() before doing a get_user_by( 'email' ) lookup, and add a filter so that the admin can prevent the get_user_by('email') lookup for non-logged-in members. That way admins can decide on a case-by-case basis whether to allow non-logged-in activity tracking.

Second opinion?

#3 follow-up: @DJPaul
12 years ago

I think if the user is logged out, and they have entered the same email as a registered member, we bounce them over to the log in page. It's a bit different from just use of the gravatar because if you have Activity active, it adds an item in that member's profile.

#4 @mdpane
12 years ago

Would it be possible to have an email sent to that comment's email address and have them approve it to be posted? Or should I look into a separate plugin for that?

#5 in reply to: ↑ 3 ; follow-up: @boonebgorges
12 years ago

Replying to DJPaul:

I think if the user is logged out, and they have entered the same email as a registered member, we bounce them over to the log in page.

I assume you are making a suggestion here rather than a statement about what we currently do, correct? I think it's a better suggestion (easier to implement, at least) than mdpane's email notification suggestion. mdpane, if you explicitly want email verification, I think that's going to be plugin territory.

#6 @mdpane
12 years ago

Yes, you're correct and I found a plugin that can do just that until we implement DJPaul's suggestion.

#7 in reply to: ↑ 5 @DJPaul
12 years ago

Replying to boonebgorges:

I assume you are making a suggestion here rather than a statement about what we currently do, correct? I think it's a better suggestion

Yep.

#8 @DJPaul
6 years ago

  • Keywords trac-tidy-2018 added

We're closing this ticket because it has not received any contribution or comments for at least two years. We have decided that it is better to close tickets that are good ideas, which have not gotten (or are unlikely to get) contributions, rather than keep things open indefinitely. This will help us share a more realistic roadmap for BuddyPress with you.

Everyone very much appreciates the time and effort that you spent sharing your idea with us. On behalf of the entire BuddyPress team, thank you.

If you feel strongly that this enhancement should still be added to BuddyPress, and you are able to contribute effort towards it, we encourage you to re-open the ticket, or start a discussion about it in our Slack channel. Please consider that time has proven that good ideas without contributions do not get built.

For more information, see https://bpdevel.wordpress.com/2018/01/21/our-awaiting-contributions-milestone-contains/
or find us on Slack, in the #buddypress channel: https://make.wordpress.org/chat/

#9 @DJPaul
6 years ago

  • Milestone Awaiting Contributions deleted
  • Resolution set to maybelater
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.