Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2012-10-06 01:26:09
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Is there a plugin to delete comments on the frontend?
I have been looking around and can’t seem to find it, so figured I would ask. Is there a plugin or workaround to add a little “delete” link next to all comments on the front end? I have cbe_frontauth and it works great and would love this functionality.
Thanks in advance!
Caleb
Offline
Re: Is there a plugin to delete comments on the frontend?
No. Not one as convenient as adding a little delete link. At least not that I’m aware of.
Look at smd_query and this part of it’s thread.
Last edited by whaleen (2012-10-06 02:52:58)
txtstrap (Textpattern + Twitter Bootstrap + etc…)
Offline
#3 2012-10-06 11:15:58
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Re: Is there a plugin to delete comments on the frontend?
Thanks! that is very helpful, I will play around with it and see if I can get something working.
Caleb
Offline
Re: Is there a plugin to delete comments on the frontend?
Keep in mind CSRF attacks when creating your links, cbe_frontauth will not stop them, I’m afraid.
Offline
#5 2012-10-06 11:43:45
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Re: Is there a plugin to delete comments on the frontend?
That is a very good point. The way I have it setup is that the only comments on the site are in articles that are password protected and only viewable by registered users, so the general public won’t be able to see them at all, much less delete them. From the little I understand of CSRF, an attack could definitely still happen, but would they if they didn’t know there was anything to mess around with?
Offline
Re: Is there a plugin to delete comments on the frontend?
If it could happen, it might happen, even if the risk is highly hypothetical in your setup. Why not prevent it since you are in full control of your solution?
Offline
#7 2012-10-06 14:39:51
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Re: Is there a plugin to delete comments on the frontend?
What would be the best way to counteract this? just adding a verification of some sort? like a popup, “are you sure?” or is that not good enough?
Thanks!
Offline
Re: Is there a plugin to delete comments on the frontend?
Let us see the problem. If I get it right, you are going to create a “delete” page, that will wait for some “del” url parameter and delete the corresponding comment:
my.web.site/delete/?del=13would delete the comment number 13. Of course, before deleting you have to ensure (with cbe_frontauth) that the user is logged in, by checking some txp cookie sent by the browser. The problem is that the browser could be tricked into sending this cookie without your approval. If some bad guy posts on some site a fake image tag with src="my.web.site/delete/?del=13" and you visit this site while being logged into yours, then your cookie will be sent to my.web.site/delete/?del=13 and pass the checkout.
The simplest solution is to append to the “delete” page url some random key and check on reception if it is ok: my.web.site/delete/?del=13&key=uyf65vhhd453. If you don’t want to use sessions on the public side, then you could create (with phpmyadmin) some random txp_prefs, say “secret_key”. Then use it to generate a random key:
$secret = get_pref('secret_key');
$del = 13; //comment to delete
$key = crypt($del.$secret); //will be new each timeand append it to the “delete” page url of your delete comment links. On the “delete” page itself, check if the key is authentic:
$secret = get_pref('secret_key');
$del = $_GET['del']; //or adi_gps?
$key = $_GET['key'];
if(crypt($del.$secret, $key) != $key) exit; //no matchSince your “secret_key” stays secret, bad guys are unlikely to post a harmful url. But this might be a very naive or even false solution, many people here have much deeper knowledge of CSRF than me, any advice is welcome.
Offline
Re: Is there a plugin to delete comments on the frontend?
Is this an issue of using POST from a form? My understanding is that the data is not sent through the URL string.
Offline
Re: Is there a plugin to delete comments on the frontend?
aslsw66 wrote:
Is this an issue of using POST from a form? My understanding is that the data is not sent through the URL string.
Savvy people say using POST will not completely solve the problem, though that’s less risky than GET, I agree.
Offline
#11 2012-10-07 19:12:22
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Re: Is there a plugin to delete comments on the frontend?
So I am confused. I am trying to understand how to get all this put together, but I really don’t have a great foundation of knowledge to work from… If someone could give me kind of a rough idea of how to do this? I have a list of comments for an article that is only viewable by users logged in, and am trying to add a little delete button to each comment.
The smd_query worked, but I definitely didn’t structure it properly or put it in the right place since it deleted all my comments as soon as the page loaded. This is what I used: <txp:smd_query query=“DELETE FROM txp_discuss WHERE discussid = ‘<txp:comment_id />’” />
What should that be changed to, and where should I put it? Should I treat this like a form where I post the comment data and then load a separate page that has the query and loads the posted comment data?
Once I have it working at all I will try and figure out what was said about preventing CSRF :)
Thanks and sorry that I am not understanding yet.
Offline
#12 2012-10-09 17:24:09
- cabes
- Member
- Registered: 2008-01-01
- Posts: 28
Re: Is there a plugin to delete comments on the frontend?
Nevermind, I got it to work. Thanks for your help everyone!
Offline