Introducing Diskuto - an embeddable comment system
Sönke Ludwig via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Fri Mar 17 11:04:22 PDT 2017
Am 17.03.2017 um 18:30 schrieb Suliman:
> On Friday, 17 March 2017 at 16:42:28 UTC, Sönke Ludwig wrote:
>> Am 17.03.2017 um 16:42 schrieb cym13:
>>> On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig wrote:
>>>> Am 14.03.2017 um 21:56 schrieb Daniel Kozak via Digitalmars-d-announce:
>>>>> Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce
>>>>> napsal(a):
>>>>>>
>>>>>> Did you delete the comments yourself? The time limit for
>>>>>> deletion/editing currently isn't enforced on the server (ticket
>>>>>> already open), so anyone can delete their own tickets currently at
>>>>>> any
>>>>>> time.
>>>>>>
>>>>>> I've noted the other issues and will tackle those tomorrow.
>>>>> I have deleted not only my comments, I can delete enyone comment
>>>>
>>>> Okay, that was supposed to be implemented before 1.0.0, but then I
>>>> forgot about it:
>>>> https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
>>>>
>>>>
>>>
>>> You'll also want a CSRF token for that, checking that the user is the
>>> author isn't enough.
>>
>> True, I have that and some other standard measures planned, but for
>> now I wanted to concentrate on getting the general functionality and
>> layout done. On the "security" side, simple moderation and registered
>> user support is now in but still needs some additions, and the spam
>> filter integration still needs a little work.
>>
>> IMO, those are the most important things for the start, because
>> realistically nobody is going to implement a CSRF attack against this
>> in the foreseeable future, and even if, the impact would be extremely
>> limited (since only posts of the last 15 minutes can be changed anyways).
>
> Please add oAuth with Google instead anti-spam. I really captcha end
> other stupid system where computer make decision enough am I human or no.
>
> Also auth with Telegram is very good thing. I think it would enough for
> 90% of users.
The idea is to allow anonymous comments, at least if a site wants to
support it, because that can often reduce the initial entry barrier
considerably, even compared against a convenient OAuth login.
But the idea is that all kinds of authentication mechanisms can be
plugged in using the relatively trivial `DiskutoUserStore` interface. So
anyone can use their favorite means. I'd of course accept pull requests
to include a range of default options, but I'll probably not have the
time to do that myself.
More information about the Digitalmars-d-announce
mailing list