sorry, are you saying that remember should be based on CMFMember and that CMFMember is massively insecure? Any pointers on the traceback?
I've always had big problems with CMFMember. It loses member informationi regularly. They become orphaned items and then are not replaceable. Infuriating and that's only the start of it. Still I know it is open source.
EventRegistration should have originally been based on CMFMember, but wasn't. EventRegistration is insecure because it allows anyone who can find the url to your registration to edit it, which is retarded.
Yes, CMFMember sucks ass and is badly maintained. remember, based on Membrane, uses zope3 technologies and should be more robust. If it doesn't work better than CMFMember, we're all screwed, as it's due for inclusion in Plone 3.0 or 3.5.
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> sorry, are you saying that remember should be based on CMFMember and that > CMFMember is massively insecure? Any pointers on the traceback?
> I've always had big problems with CMFMember. It loses member informationi > regularly. They become orphaned items and then are not replaceable. > Infuriating and that's only the start of it. Still I know it is open source.
> On 7/24/06, Justizin <justi...@gmail.com> wrote: > > no, it's not afaik, but it should have been.. it's massively insecure..
> > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > Ok, yes it's based on CMFMember :-(
Can't you put security on the URLs. I take it you mean the admin URLs? I had a similar problem with CMFQuestions where users could in theory look at surveys submitted and even edit stuff. I was advised to use the ZMI security tabs so that only managers could look at it etc.
Yes I agree about CMFMember. I'm amazed that a better member solution hasn't been provided before now. It was the first thing I looked at in Plone and couldn't believe how long winded it was to even get close to a proper membership solution. I've basically abandoned CMFMember as it's just too buggy and scary and screws up your member data. How do you explain to a client that many of their members have now disappeared? for no reason :-)
> EventRegistration should have originally been based on CMFMember, but > wasn't. EventRegistration is insecure because it allows anyone who > can find the url to your registration to edit it, which is retarded.
> Yes, CMFMember sucks ass and is badly maintained. remember, based on > Membrane, uses zope3 technologies and should be more robust. If it > doesn't work better than CMFMember, we're all screwed, as it's due for > inclusion in Plone 3.0 or 3.5.
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > sorry, are you saying that remember should be based on CMFMember and > that > > CMFMember is massively insecure? Any pointers on the traceback?
> > I've always had big problems with CMFMember. It loses member > informationi > > regularly. They become orphaned items and then are not replaceable. > > Infuriating and that's only the start of it. Still I know it is open > source.
> > On 7/24/06, Justizin <justi...@gmail.com> wrote: > > > no, it's not afaik, but it should have been.. it's massively > insecure..
> > > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > > Ok, yes it's based on CMFMember :-(
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> Can't you put security on the URLs. I take it you mean the admin URLs? I had > a similar problem with CMFQuestions where users could in theory look at > surveys submitted and even edit stuff. I was advised to use the ZMI security > tabs so that only managers could look at it etc.
Well.. here's the problem.
* user goes to website and has access, as anonymous, to create registration
* in order to edit the registration, which it would be ludicrous not to support, they need modify access as anonymous
* thusly, the only security is the obscurity of the url.
> Yes I agree about CMFMember. I'm amazed that a better member solution hasn't > been provided before now. It was the first thing I looked at in Plone and > couldn't believe how long winded it was to even get close to a proper > membership solution. I've basically abandoned CMFMember as it's just too > buggy and scary and screws up your member data. How do you explain to a > client that many of their members have now disappeared? for no reason :-)
Well, you should be doing backups, but I can certainly relate. I have a couple of sites which are stuck on CMFMember and they are horribly broken. I'm very contemptuous of the CMFMember author because of this.. I feel he has abandoned the project after promoting its' use throughout the community.
Still, it is posible to use CMFMember if you are careful, and since EventRegistration doesn't work properly either, it would benefit from use of CMFMember.
It would also be possible to wrap up the registration process in a user's first registration without CMFMember, but I have always leaned towards using what seems to be the community's chosen membership solution.
Fortunately, though the original author of CMFMember is responsible for remember, there are a ton of other stakeholders and hopefully some momentum for maintaining it.
How about once submitted you can't edit your registration? What you could do is email the site support and say you wish to create a new one etc, or ask them to delete your old registration. How do all these blogging products handle anonymous postings? Saying that I use EasyBlog and found that if you created a membership you were able to delete all the comments! It's being fixed.
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > Can't you put security on the URLs. I take it you mean the admin URLs? I > had > > a similar problem with CMFQuestions where users could in theory look at > > surveys submitted and even edit stuff. I was advised to use the ZMI > security > > tabs so that only managers could look at it etc.
> Well.. here's the problem.
> * user goes to website and has access, as anonymous, to create > registration
> * in order to edit the registration, which it would be ludicrous not > to support, they need modify access as anonymous
> * thusly, the only security is the obscurity of the url.
> > Yes I agree about CMFMember. I'm amazed that a better member solution > hasn't > > been provided before now. It was the first thing I looked at in Plone > and > > couldn't believe how long winded it was to even get close to a proper > > membership solution. I've basically abandoned CMFMember as it's just too > > buggy and scary and screws up your member data. How do you explain to a > > client that many of their members have now disappeared? for no reason > :-)
> Well, you should be doing backups, but I can certainly relate. I have > a couple of sites which are stuck on CMFMember and they are horribly > broken. I'm very contemptuous of the CMFMember author because of > this.. I feel he has abandoned the project after promoting its' use > throughout the community.
> Still, it is posible to use CMFMember if you are careful, and since > EventRegistration doesn't work properly either, it would benefit from > use of CMFMember.
> It would also be possible to wrap up the registration process in a > user's first registration without CMFMember, but I have always leaned > towards using what seems to be the community's chosen membership > solution.
> Fortunately, though the original author of CMFMember is responsible > for remember, there are a ton of other stakeholders and hopefully some > momentum for maintaining it.
Well, that's a major problem for many use cases, including the original funders of ER and anyone I would conceivably implement ER for.
You can implement ER that way for your use if you like, but I'd prefer not to see that functionality removed in ER trunk. I prefer to view that as a bug or incomplete feature so that not being able to edit your registration does not become a status quo for the project.
Blogging products do not handle anonymous postings well, and blog comments are not event registrations. blogging products for plone generally do not handle anonymous postings at all OOTB.
Yeh I suggest Quills over EasyBlog. It needs a bit of attention but it doesn't do anything retarded like let anyone who creates a login delete all comments. ;)
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> How about once submitted you can't edit your registration? What you could do > is email the site support and say you wish to create a new one etc, or ask > them to delete your old registration. How do all these blogging products > handle anonymous postings? Saying that I use EasyBlog and found that if you > created a membership you were able to delete all the comments! It's being > fixed.
> On 7/24/06, Justizin <justi...@gmail.com> wrote:
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > Can't you put security on the URLs. I take it you mean the admin URLs? I > had > > a similar problem with CMFQuestions where users could in theory look at > > surveys submitted and even edit stuff. I was advised to use the ZMI > security > > tabs so that only managers could look at it etc.
> Well.. here's the problem.
> * user goes to website and has access, as anonymous, to create > registration
> * in order to edit the registration, which it would be ludicrous not > to support, they need modify access as anonymous
> * thusly, the only security is the obscurity of the url.
> > Yes I agree about CMFMember. I'm amazed that a better member solution > hasn't > > been provided before now. It was the first thing I looked at in Plone and > > couldn't believe how long winded it was to even get close to a proper > > membership solution. I've basically abandoned CMFMember as it's just too > > buggy and scary and screws up your member data. How do you explain to a > > client that many of their members have now disappeared? for no reason :-)
> Well, you should be doing backups, but I can certainly relate. I have > a couple of sites which are stuck on CMFMember and they are horribly > broken. I'm very contemptuous of the CMFMember author because of > this.. I feel he has abandoned the project after promoting its' use > throughout the community.
> Still, it is posible to use CMFMember if you are careful, and since > EventRegistration doesn't work properly either, it would benefit from > use of CMFMember.
> It would also be possible to wrap up the registration process in a > user's first registration without CMFMember, but I have always leaned > towards using what seems to be the community's chosen membership > solution.
> Fortunately, though the original author of CMFMember is responsible > for remember, there are a ton of other stakeholders and hopefully some > momentum for maintaining it.
I agree. I'll try and implement some view security on editing registrations until this gets sorted. I think I'd rather go the more secure route just now. I couldn't imagine trying to explain to a client that some anon person could theoretically edit any registration.
Thing is with blogs alot of people like having anon postings. I guess all you need to do is not allow any editing or deletion once the post has been made unless by a site manager. That's easy to do. CoreBlog also had issues along those lines when I tried it - also lost posts. The only thing with Quills is that it's too basic feature wise.
> Well, that's a major problem for many use cases, including the > original funders of ER and anyone I would conceivably implement ER > for.
> You can implement ER that way for your use if you like, but I'd prefer > not to see that functionality removed in ER trunk. I prefer to view > that as a bug or incomplete feature so that not being able to edit > your registration does not become a status quo for the project.
> Blogging products do not handle anonymous postings well, and blog > comments are not event registrations. blogging products for plone > generally do not handle anonymous postings at all OOTB.
> Yeh I suggest Quills over EasyBlog. It needs a bit of attention but > it doesn't do anything retarded like let anyone who creates a login > delete all comments. ;)
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > How about once submitted you can't edit your registration? What you > could do > > is email the site support and say you wish to create a new one etc, or > ask > > them to delete your old registration. How do all these blogging products > > handle anonymous postings? Saying that I use EasyBlog and found that if > you > > created a membership you were able to delete all the comments! It's > being > > fixed.
> > On 7/24/06, Justizin <justi...@gmail.com> wrote:
> > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > Can't you put security on the URLs. I take it you mean the admin URLs? > I > > had > > > a similar problem with CMFQuestions where users could in theory look > at > > > surveys submitted and even edit stuff. I was advised to use the ZMI > > security > > > tabs so that only managers could look at it etc.
> > Well.. here's the problem.
> > * user goes to website and has access, as anonymous, to create > > registration
> > * in order to edit the registration, which it would be ludicrous not > > to support, they need modify access as anonymous
> > * thusly, the only security is the obscurity of the url.
> > > Yes I agree about CMFMember. I'm amazed that a better member solution > > hasn't > > > been provided before now. It was the first thing I looked at in Plone > and > > > couldn't believe how long winded it was to even get close to a proper > > > membership solution. I've basically abandoned CMFMember as it's just > too > > > buggy and scary and screws up your member data. How do you explain to > a > > > client that many of their members have now disappeared? for no reason > :-)
> > Well, you should be doing backups, but I can certainly relate. I have > > a couple of sites which are stuck on CMFMember and they are horribly > > broken. I'm very contemptuous of the CMFMember author because of > > this.. I feel he has abandoned the project after promoting its' use > > throughout the community.
> > Still, it is posible to use CMFMember if you are careful, and since > > EventRegistration doesn't work properly either, it would benefit from > > use of CMFMember.
> > It would also be possible to wrap up the registration process in a > > user's first registration without CMFMember, but I have always leaned > > towards using what seems to be the community's chosen membership > > solution.
> > Fortunately, though the original author of CMFMember is responsible > > for remember, there are a ton of other stakeholders and hopefully some > > momentum for maintaining it.
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > I agree. I'll try and implement some view security on editing registrations > > until this gets sorted. I think I'd rather go the more secure route just > > now. I couldn't imagine trying to explain to a client that some anon person > > could theoretically edit any registration.
BTW, please put your improvements in a branch and discuss merging to trunk.
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> I agree. I'll try and implement some view security on editing registrations > until this gets sorted. I think I'd rather go the more secure route just > now. I couldn't imagine trying to explain to a client that some anon person > could theoretically edit any registration.
Me either. ;)
A middleground is that you can require site registration first, but this is too many steps for some people, and I pretty much agree. It would be most effective to wrap up the site registration in the event registration, and catch duplicate e-mail addresses to reuse contact info..
> Thing is with blogs alot of people like having anon postings. I guess all > you need to do is not allow any editing or deletion once the post has been > made unless by a site manager. That's easy to do. CoreBlog also had issues > along those lines when I tried it - also lost posts. The only thing with > Quills is that it's too basic feature wise.
I didn't say anon postings are a bad idea, I said that they are:
* orthogonal to anon registrations
* not supported OOTB by most plone blogging products
Plone discussions implement the behaviour you describe OOTB, or Out Of The Box, but that presents some issues - for instance I can't edit my own posting. Using a Captcha and suggesting that a user sign-up or log in during the comment process is better. Supporting things like OpenID would be even better, but although OpenIDEnabled.org or whatever is running Plone itself, there is still no code release here.
Fact is, however you allow anon postings to a blog, if you aren't using a captcha it will be spammed, and this causes most people over time to disable this feature. Furthermore, there is no widely available aural captcha solution, which makes Captcha an accessibility issue.
I've found that even using a CAPTCHA, spammers can get round it. At least that was my experience on PHPBB. However that's a lot more well known. The last time I looked, the guys building PloneBoard weren't doing much in the way of spam protection. I think the argument was that Plone was immune :-) Some sort of natural anti-spam aura.
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > I agree. I'll try and implement some view security on editing > registrations > > until this gets sorted. I think I'd rather go the more secure route just > > now. I couldn't imagine trying to explain to a client that some anon > person > > could theoretically edit any registration.
> Me either. ;)
> A middleground is that you can require site registration first, but > this is too many steps for some people, and I pretty much agree. It > would be most effective to wrap up the site registration in the event > registration, and catch duplicate e-mail addresses to reuse contact > info..
> > Thing is with blogs alot of people like having anon postings. I guess > all > > you need to do is not allow any editing or deletion once the post has > been > > made unless by a site manager. That's easy to do. CoreBlog also had > issues > > along those lines when I tried it - also lost posts. The only thing with > > Quills is that it's too basic feature wise.
> I didn't say anon postings are a bad idea, I said that they are:
> * orthogonal to anon registrations
> * not supported OOTB by most plone blogging products
> Plone discussions implement the behaviour you describe OOTB, or Out Of > The Box, but that presents some issues - for instance I can't edit my > own posting. Using a Captcha and suggesting that a user sign-up or > log in during the comment process is better. Supporting things like > OpenID would be even better, but although OpenIDEnabled.org or > whatever is running Plone itself, there is still no code release here.
> Fact is, however you allow anon postings to a blog, if you aren't > using a captcha it will be spammed, and this causes most people over > time to disable this feature. Furthermore, there is no widely > available aural captcha solution, which makes Captcha an accessibility > issue.
Well, a Captcha by definition can't be gotten around by spammers, unless the CAPTCHA is broken, which makes it not a captcha. If a human uses a Captcha to log in, and then manually posts spam, well, it's not a spambot, it's a real-live spammer person, and there is *nothing* you can do about this, ever, except to use tactical nuclear weapons against their native land, which I am not in favor of.
If someone is arguing that plone is immune, that's only because it doesn't ship with anonymous discussion ability turned on.
Captchas work for basically everyone but PHPBB, from blogger.com to .. i dunno .. everyone uses them. Last I asked about this being included in core plone i was told there was a patent dispute of some sort, which I don't think is quite the case.
furthermore, btw, for discussions, you can get around captcha *and* spam by requiring that all comments be approved, but I'm not sure Ploneboard implements this OOTB right now. It certainly should.
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> I've found that even using a CAPTCHA, spammers can get round it. At least > that was my experience on PHPBB. However that's a lot more well known. The > last time I looked, the guys building PloneBoard weren't doing much in the > way of spam protection. I think the argument was that Plone was immune :-) > Some sort of natural anti-spam aura.
> On 7/24/06, Justizin <justi...@gmail.com> wrote:
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > I agree. I'll try and implement some view security on editing > registrations > > until this gets sorted. I think I'd rather go the more secure route just > > now. I couldn't imagine trying to explain to a client that some anon > person > > could theoretically edit any registration.
> Me either. ;)
> A middleground is that you can require site registration first, but > this is too many steps for some people, and I pretty much agree. It > would be most effective to wrap up the site registration in the event > registration, and catch duplicate e-mail addresses to reuse contact > info..
> > Thing is with blogs alot of people like having anon postings. I guess all > > you need to do is not allow any editing or deletion once the post has been > > made unless by a site manager. That's easy to do. CoreBlog also had issues > > along those lines when I tried it - also lost posts. The only thing with > > Quills is that it's too basic feature wise.
> I didn't say anon postings are a bad idea, I said that they are:
> * orthogonal to anon registrations
> * not supported OOTB by most plone blogging products
> Plone discussions implement the behaviour you describe OOTB, or Out Of > The Box, but that presents some issues - for instance I can't edit my > own posting. Using a Captcha and suggesting that a user sign-up or > log in during the comment process is better. Supporting things like > OpenID would be even better, but although OpenIDEnabled.org or > whatever is running Plone itself, there is still no code release here.
> Fact is, however you allow anon postings to a blog, if you aren't > using a captcha it will be spammed, and this causes most people over > time to disable this feature. Furthermore, there is no widely > available aural captcha solution, which makes Captcha an accessibility > issue.
ploneboard author just told me that it supports moderation, probably in latest version. that's the best solution to comment-spam, but is a barrier to encouraging active discussion.
> Well, a Captcha by definition can't be gotten around by spammers, > unless the CAPTCHA is broken, which makes it not a captcha. If a > human uses a Captcha to log in, and then manually posts spam, well, > it's not a spambot, it's a real-live spammer person, and there is > *nothing* you can do about this, ever, except to use tactical nuclear > weapons against their native land, which I am not in favor of.
> If someone is arguing that plone is immune, that's only because it > doesn't ship with anonymous discussion ability turned on.
> Captchas work for basically everyone but PHPBB, from blogger.com to .. > i dunno .. everyone uses them. Last I asked about this being included > in core plone i was told there was a patent dispute of some sort, > which I don't think is quite the case.
> furthermore, btw, for discussions, you can get around captcha *and* > spam by requiring that all comments be approved, but I'm not sure > Ploneboard implements this OOTB right now. It certainly should.
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > I've found that even using a CAPTCHA, spammers can get round it. At least > > that was my experience on PHPBB. However that's a lot more well known. The > > last time I looked, the guys building PloneBoard weren't doing much in the > > way of spam protection. I think the argument was that Plone was immune :-) > > Some sort of natural anti-spam aura.
> > On 7/24/06, Justizin <justi...@gmail.com> wrote:
> > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > I agree. I'll try and implement some view security on editing > > registrations > > > until this gets sorted. I think I'd rather go the more secure route just > > > now. I couldn't imagine trying to explain to a client that some anon > > person > > > could theoretically edit any registration.
> > Me either. ;)
> > A middleground is that you can require site registration first, but > > this is too many steps for some people, and I pretty much agree. It > > would be most effective to wrap up the site registration in the event > > registration, and catch duplicate e-mail addresses to reuse contact > > info..
> > > Thing is with blogs alot of people like having anon postings. I guess all > > > you need to do is not allow any editing or deletion once the post has been > > > made unless by a site manager. That's easy to do. CoreBlog also had issues > > > along those lines when I tried it - also lost posts. The only thing with > > > Quills is that it's too basic feature wise.
> > I didn't say anon postings are a bad idea, I said that they are:
> > * orthogonal to anon registrations
> > * not supported OOTB by most plone blogging products
> > Plone discussions implement the behaviour you describe OOTB, or Out Of > > The Box, but that presents some issues - for instance I can't edit my > > own posting. Using a Captcha and suggesting that a user sign-up or > > log in during the comment process is better. Supporting things like > > OpenID would be even better, but although OpenIDEnabled.org or > > whatever is running Plone itself, there is still no code release here.
> > Fact is, however you allow anon postings to a blog, if you aren't > > using a captcha it will be spammed, and this causes most people over > > time to disable this feature. Furthermore, there is no widely > > available aural captcha solution, which makes Captcha an accessibility > > issue.
Yes, I agree, moderation isn't great. Spammers can get round basic CAPTCHAS as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers are getting more intelligent :-) I think the argument was that Plone, or sites built with it, wouldn't be a target for spammers due to it's nature, but I kind of think that anyone is a target....
> ploneboard author just told me that it supports moderation, probably > in latest version. that's the best solution to comment-spam, but is a > barrier to encouraging active discussion.
> On 7/24/06, Justizin <justi...@gmail.com> wrote: > > Well, a Captcha by definition can't be gotten around by spammers, > > unless the CAPTCHA is broken, which makes it not a captcha. If a > > human uses a Captcha to log in, and then manually posts spam, well, > > it's not a spambot, it's a real-live spammer person, and there is > > *nothing* you can do about this, ever, except to use tactical nuclear > > weapons against their native land, which I am not in favor of.
> > If someone is arguing that plone is immune, that's only because it > > doesn't ship with anonymous discussion ability turned on.
> > Captchas work for basically everyone but PHPBB, from blogger.com to .. > > i dunno .. everyone uses them. Last I asked about this being included > > in core plone i was told there was a patent dispute of some sort, > > which I don't think is quite the case.
> > furthermore, btw, for discussions, you can get around captcha *and* > > spam by requiring that all comments be approved, but I'm not sure > > Ploneboard implements this OOTB right now. It certainly should.
> > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > I've found that even using a CAPTCHA, spammers can get round it. At > least > > > that was my experience on PHPBB. However that's a lot more well known. > The > > > last time I looked, the guys building PloneBoard weren't doing much in > the > > > way of spam protection. I think the argument was that Plone was immune > :-) > > > Some sort of natural anti-spam aura.
> > > On 7/24/06, Justizin <justi...@gmail.com> wrote:
> > > On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > > > I agree. I'll try and implement some view security on editing > > > registrations > > > > until this gets sorted. I think I'd rather go the more secure route > just > > > > now. I couldn't imagine trying to explain to a client that some anon > > > person > > > > could theoretically edit any registration.
> > > Me either. ;)
> > > A middleground is that you can require site registration first, but > > > this is too many steps for some people, and I pretty much agree. It > > > would be most effective to wrap up the site registration in the event > > > registration, and catch duplicate e-mail addresses to reuse contact > > > info..
> > > > Thing is with blogs alot of people like having anon postings. I > guess all > > > > you need to do is not allow any editing or deletion once the post > has been > > > > made unless by a site manager. That's easy to do. CoreBlog also had > issues > > > > along those lines when I tried it - also lost posts. The only thing > with > > > > Quills is that it's too basic feature wise.
> > > I didn't say anon postings are a bad idea, I said that they are:
> > > * orthogonal to anon registrations
> > > * not supported OOTB by most plone blogging products
> > > Plone discussions implement the behaviour you describe OOTB, or Out Of > > > The Box, but that presents some issues - for instance I can't edit my > > > own posting. Using a Captcha and suggesting that a user sign-up or > > > log in during the comment process is better. Supporting things like > > > OpenID would be even better, but although OpenIDEnabled.org or > > > whatever is running Plone itself, there is still no code release here.
> > > Fact is, however you allow anon postings to a blog, if you aren't > > > using a captcha it will be spammed, and this causes most people over > > > time to disable this feature. Furthermore, there is no widely > > > available aural captcha solution, which makes Captcha an accessibility > > > issue.
On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote:
> Yes, I agree, moderation isn't great. Spammers can get round basic CAPTCHAS > as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers are > getting more intelligent :-) I think the argument was that Plone, or sites > built with it, wouldn't be a target for spammers due to it's nature, but I > kind of think that anyone is a target....
I'm not sure who made that argument to you, that is not 'the plone community reasoning'. If you can't comment anonymously, you can't be spammed, except by anyone who creates an account.
If PHPBB captcha is broken, again, it's not a captcha. As soon as a captcha is broken it defies the definition of a captcha, because it can't be used for telling humans and computers apart. ;)
*real* captchas are not breakable. Please don't subject Plone to assumptions that it will eventually have problems that PHPBB has. It's a better app, and we try to Do Things Right(tm), and this is probably why plone is not vulnerable.
moderation is not bad IMO, but you have to decide on the type of site you want to have. It's not appropriate for some, but it can be a handy feature. Again, no spam gets through a moderator.
"If PHPBB captcha is broken, again, it's not a captcha. As soon as a captcha is broken it defies the definition of a captcha, because it can't be used for telling humans and computers apart. ;)"
Fair enough. Ok, quasi, psuedo CAPTCHAS then....:-) . Take your point. CAPTCHAS are going to have to get pretty sophisticated and also as you say there are the accessbility issues. Maybe the new national ID cards in the UK should have a changing digital number attached which could be used for online verification. At least then they would be good for something! On 7/25/06, Justizin <justi...@gmail.com> wrote:
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > Yes, I agree, moderation isn't great. Spammers can get round basic > CAPTCHAS > > as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers > are > > getting more intelligent :-) I think the argument was that Plone, or > sites > > built with it, wouldn't be a target for spammers due to it's nature, but > I > > kind of think that anyone is a target....
> I'm not sure who made that argument to you, that is not 'the plone > community reasoning'. If you can't comment anonymously, you can't be > spammed, except by anyone who creates an account.
> If PHPBB captcha is broken, again, it's not a captcha. As soon as a > captcha is broken it defies the definition of a captcha, because it > can't be used for telling humans and computers apart. ;)
> *real* captchas are not breakable. Please don't subject Plone to > assumptions that it will eventually have problems that PHPBB has. > It's a better app, and we try to Do Things Right(tm), and this is > probably why plone is not vulnerable.
> moderation is not bad IMO, but you have to decide on the type of site > you want to have. It's not appropriate for some, but it can be a > handy feature. Again, no spam gets through a moderator.
> "If PHPBB captcha is broken, again, it's not a captcha. As soon as a > captcha is broken it defies the definition of a captcha, because it > can't be used for telling humans and computers apart. ;)"
> Fair enough. Ok, quasi, psuedo CAPTCHAS then....:-) . Take your point. > CAPTCHAS are going to have to get pretty sophisticated and also as you say > there are the accessbility issues. Maybe the new national ID cards in the UK > should have a changing digital number attached which could be used for > online verification. At least then they would be good for something!
> On 7/25/06, Justizin < justi...@gmail.com> wrote:
> On 7/24/06, michael nt milne <michael.mi...@gmail.com> wrote: > > Yes, I agree, moderation isn't great. Spammers can get round basic > CAPTCHAS > > as I found on PHPBB. It had a pretty basic CAPTCHA installed. Computers > are > > getting more intelligent :-) I think the argument was that Plone, or sites > > built with it, wouldn't be a target for spammers due to it's nature, but I > > kind of think that anyone is a target....
> I'm not sure who made that argument to you, that is not 'the plone > community reasoning'. If you can't comment anonymously, you can't be > spammed, except by anyone who creates an account.
> If PHPBB captcha is broken, again, it's not a captcha. As soon as a > captcha is broken it defies the definition of a captcha, because it > can't be used for telling humans and computers apart. ;)
> *real* captchas are not breakable. Please don't subject Plone to > assumptions that it will eventually have problems that PHPBB has. > It's a better app, and we try to Do Things Right(tm), and this is > probably why plone is not vulnerable.
> moderation is not bad IMO, but you have to decide on the type of site > you want to have. It's not appropriate for some, but it can be a > handy feature. Again, no spam gets through a moderator.
|
