Introducing Diskuto - an embeddable comment system
Sönke Ludwig via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Fri Mar 17 09:42:28 PDT 2017
Am 17.03.2017 um 16:42 schrieb cym13:
> On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig wrote:
>> Am 14.03.2017 um 21:56 schrieb Daniel Kozak via Digitalmars-d-announce:
>>> Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce napsal(a):
>>>>
>>>> Did you delete the comments yourself? The time limit for
>>>> deletion/editing currently isn't enforced on the server (ticket
>>>> already open), so anyone can delete their own tickets currently at any
>>>> time.
>>>>
>>>> I've noted the other issues and will tackle those tomorrow.
>>> I have deleted not only my comments, I can delete enyone comment
>>
>> Okay, that was supposed to be implemented before 1.0.0, but then I
>> forgot about it:
>> https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
>>
>
> You'll also want a CSRF token for that, checking that the user is the
> author isn't enough.
True, I have that and some other standard measures planned, but for now
I wanted to concentrate on getting the general functionality and layout
done. On the "security" side, simple moderation and registered user
support is now in but still needs some additions, and the spam filter
integration still needs a little work.
IMO, those are the most important things for the start, because
realistically nobody is going to implement a CSRF attack against this in
the foreseeable future, and even if, the impact would be extremely
limited (since only posts of the last 15 minutes can be changed anyways).
More information about the Digitalmars-d-announce
mailing list