Issues with Anonymous Posting

[Gautam Gupta]

Here are a few issues which need to be addressed:

1) Add logic for non-logged in users in bb_check_comment_flood(). It is on todo, but just putting this point here so that it doesn't go into the release as it is.

2) bb_get_current_commenter() should be bb_get_current_poster() and cookies should be 'post_author_'.COOKIEHASH, 'post_author_email_'.COOKIEHASH etc. instead of 'comment_author_'.COOKIEHASH etc. (as there are posts, not comments in bbPress)

3) The change here (​http://trac.bbpress.org/changeset/2390/trunk/bb-templates/kakumei/post-form.php) should be a function (eg. named 'bb_loginless_postmeta_form' in functions.bb-template.php) which is hooked to 'post_form_pre_post' as custom made themes won't have this form, and if the user wants anonymous posting feature, he/she will have to add this on their own, and many don't know how to do this (which might increase support requests later, so better do it before the feature comes out in 1.1).

2nd is totally optional but in my opinion 3rd should be done. I'll try to attach patches when I get time.

[Nightgunner5]

Explainations of semi-related changes:

• $hour_ago was removed because it wasn't used anywhere
  
• ! bb_is_user_logged_in() && ! bb_is_login_required() was changed to !$user because the poster doesn't neccesarilly need to be the current user (posts can be made by plugins)

[Nightgunner5]

Fix for part 1

[Nightgunner5]

4) get_topic_last_poster needs to be changed to allow the last poster to be anonymous.

[GautamGupta]

5) Cannot anonymously post a new topic if a closed topic is present - #1265
6) New post notification not sent for anonymous user's post - #1267

[mr_pelle]

What about adding a little JS to every postform for checking if anonymous user has entered name and email? I think it's horrible to end into bb_die()!

I remember a similar fact (i.e., bb_die() customizable via plugin) was pointed out when no content was submitted by the user.

[mr_pelle]

At the moment anonymous posting using a registered username is allowed: is this correct? Imho this should not be allowed: the only way to distinguish two users with the same name would be their title ("member" against "anonymous")!

[GautamGupta]

I think you're talking of #690, (the patch submitted by me wont work as plugins won't be able to use bb_die themselves). I was thinking of a better solution - when the data is submitted and it doesn't validate for some reason, another stylesheet and javascript is enqueued and there is a nag type of notification (like the BuddyPress bar) with the message and a close button, so that the user can view the message, close it and rectify the problem. Adding javascript for each different thing wouldn't be a good idea.

At the moment anonymous posting using a registered username is allowed: is this correct? Imho this should not be allowed: the only way to distinguish two users with the same name would be their title ("member" against "anonymous")!

Yes, you're right. That's the 7th point.

[kevinjohngallagher]

Ok, so what we have is 7 items on this list:

*1) Anonymous users need to have flood control.
*2) Renaming of functions/variables.
*3) Template output
*4) get_topic_last_poster needs to allow the last poster to be anonymous.
*5) Cannot anonymously post a new topic if a closed topic is present
*6) New post notification not sent for anonymous user's post
*7) Anonymous users can claim to be existing users.

1) Anonymous users need to have flood control.

Priority: Highest
Severity: Blocker

This is a spammer's dream, and we cannot release Anonymous Posting without this.
In my opinion this should be a separate value to the logged in user one too.

2) Renaming of functions/variables.

Priority: Lowest
Severity: Minor

While I totally agree with Gautam on why this is, we're stick with so much "WordPressy" naming of items due to BackPress that this should not be a priority.

3) Template output

Priority: Normal
Severity: Normal

We need need NEED to get away from hardcoding HTML into the core! It's the absolutle bane of my life when making a theme.
Why not add a new page to our theme called post-form-anonymous (or an equivalent) and then call it via bb_load_template( 'new-page.php' );
I know it'll involve people upgrading to have to read the FAQ, but we can always have a fallback (if no page exists, server default).
Lets jsut stop putting hardcoded HTML in the core, especially as we've taken great joy in not adding ids/classes to almost all of it.

4) get_topic_last_poster needs to allow the last poster to be anonymous

Priority: Normal
Severity: Normal

We need to be a little careful about this, as there are a few "last poster for forums" plugins around too.
What happens when the last poster is anonymous?
Does it throw an error or give wrong info?

5) Cannot anonymously post a new topic if a closed topic is present

Priority: High
Severity: Blocker

Basically, a show stopper.

6) New post notification not sent for anonymous user's post

Priority: Normal
Severity: Normal

It's annoying, but not an essential fix.
Also the issue is with Email Notifications NOT anonymous Posting.
Finally, this is why you dn't roll out multiple overlapping features in your first release in a year!!!

7) Anonymous users can claim to be existing users.

Priority: Highest
Severity: Blocker

This cannot be done with JavaScript, or any other client side/browser dependant language.

[GautamGupta]

Regarding 7th point, it is same with WordPress comments too. One can post with anyone's email id on any blog. And IMO, this can't be prevented. Only solution is to disable anonymous posting if a forum admin doesn't want this to happen. But we also show "Unregistered" below the anonymous users right.. so that can help the users to differentiate them from regular/registered users.

[kevinjohngallagher]

So are we now accepting bugs just becasue WordPress works the same way?
A forum is not a blog, and the ability to mimic/pretend to be someone will be used and exploited. We simply can't have a forum where people can easily pretend to be the admin simply by typing the name "admin" in as their name.

[GautamGupta]

Hmm.. yes you're right. I think we should not allow unregistered users to use any registered user's username.

[dimadin]

Replying to kevinjohngallagher:

3) Template output

Priority: Normal
Severity: Normal

We need need NEED to get away from hardcoding HTML into the core! It's the absolutle bane of my life when making a theme.
Why not add a new page to our theme called post-form-anonymous (or an equivalent) and then call it via bb_load_template( 'new-page.php' );
I know it'll involve people upgrading to have to read the FAQ, but we can always have a fallback (if no page exists, server default).
Lets jsut stop putting hardcoded HTML in the core, especially as we've taken great joy in not adding ids/classes to almost all of it.

Came here after Gautam comment on #1268. Hardcoded HTML should be added via action/filters so that theme authors could remove default actions/filters and either add their own actions/filters or hardcode directly in template. This way we have compatibility while also easier way for customization for developers.

[Nightgunner5]

Fixes in this patch:

• 1) Anonymous users need to have flood control.
• 2) Renaming of functions/variables. (partial)
• 3) Template output
• 4) get_topic_last_poster needs to allow the last poster to be anonymous
• 4½) get_post_author needs to actually work when given a post ID as an argument

[Nightgunner5]

1-4½ just like before, plus: 5) Cannot anonymously post a new topic if a closed topic is present (this had nothing to do with whether a closed topic was present)

Not going to fix:

• 6) New post notification not sent for anonymous user's post - If this gets fixed (and it probably will), it will be on #1268, not here.
• 7) Anonymous users can claim to be existing users. - They can't if you have gravatars enabled, because their gravatars are set to "non logged in user"

[Nightgunner5]

Remember to wake up before posting patches to the trac. Props GautamGupta.

[GautamGupta]

Nice work Ben, but as I pointed out in our chat, these things need to be fixed in the patch (just for notes):

• Add post-form-anonymous.php
• bb_set_usermeta should be bb_update_usermeta

[GautamGupta]

Oh, you fixed it before my comment..

[chrishajer]

(In [2453]) Fixes for anonymous posting. Fixes #1244. Props Nightgunner5, GautamGupta

[GautamGupta]

post-form-anonymous.php didn't get into the commit..

[chrishajer]

(In [2456]) Forgot to add post-form-anonymous in r2453. Fixes #1244. Thanks GautamGupta