On Oct 20, 12:53 pm, Alexander Solovyov <
pira...@piranha.org.ua>
wrote:
> > ANONYMOUS_COMMENTS_APPROVED = False
> > CAPTCHA = 'simple'
>
> > gives me pretty much what I wanted, but there are two problems:
> > 1. The user gets logged in immediately and has a profile - I'd like
> > for him to have to activate the account first
>
> That's quite strange, because setting ANONYMOUS_COMMENTS_APPROVED
> to False means that user will need to be activated. Maybe this is a bug.
Would it be "vazmozhno" for you to confirm this as a bug?
Steps:
1. Log out (be sure you're logged out)
2. Comment on a post using credentials that still direct to your
email, like
foo...@yourdomain.com
3. Notice that the post did not show up
4. Notice that you got an email encouraging to activate your account
5. Notice that you are mystically logged in!
6. Post another comment on the form
7. Verify it uses a username like mjt+
jkala-nysv.org clearly generated
from the email
7.1. You can even reply to this comment!
8. Activate your account
9. Notice your original post came up above your recent test messages
I read through the code:
discussion/forms.py: AnonymousCommentForm.save calls
ActionRecord.registrations.create_inactive_user
The registrations member is an instance of
accounts.managers.RegistrationManager
and the create_inactive_user does create an inactive user.
Maybe a more in-depth analysis is required ;)
> > 2. Anonymous comments with captcha-only would require a patch
>
> You mean posts without creating a profile? That's not possible
> currently in Byteflow...
>
> > Is anyone interested in such a patch?
>
> Yes. ;-)
I cannot promise such a patch.
There was something, however, that I might be sending your way after I
conf hg.
I'm surprised we always create a user, it almost doesn't make sense if
ANONYMOUS_COMMENTS_APPROVED == True to do this. It's not very
anonymous
and requires of course a captcha so the database doesn't get filled
with users
in an attack ;)
Also, is this some kind of minibug?
If I enable ANONYMOUS_COMMENTS_APPROVED (with a captcha) I can enter
an email
like literally '
f...@example.com' and the comment comes through, but if
I try to
reply to it with the same email, a confirmation goes to
example.com,
which obviously
does not work.
Could it be considered a vulnerability, because I can enter someone
else's email
and then flood comments and the someone else gets a lot of mail?
Probably not a very
serious vulnerability because there's a captcha, but just found it
sort of funny :)
Thanks!
--
mjt