Add a approve-if-email-previously-approved setting.

Automatically approve comments by an email address if that address has had a comment approved within the last 6 months. No ownership verification is done on the entered email address. This means that if someone is able to guess correctly the email address used by a previously approved author, they will be able to have their new comment auto-approved.
2019-12-07 18:28:51 +00:00 · 2019-12-07 18:28:51 +00:00 · 2e8cb81179
commit 2e8cb81179
parent 9eaaad4775
4 changed files with 44 additions and 0 deletions
--- a/docs/docs/configuration/server.rst
+++ b/docs/docs/configuration/server.rst
@ -124,6 +124,7 @@ Enable moderation queue and handling of comments still in moderation queue

    [moderation]
    enabled = false
+    approve-if-email-previously-approved = false
    purge-after = 30d

 enabled
@ -131,6 +132,13 @@ enabled
    Comments in moderation queue are not visible to other users until you
    activate them.

+approve-if-email-previously-approved
+    automatically approve comments by an email address if that address has
+    had a comment approved within the last 6 months. No ownership verification
+    is done on the entered email address. This means that if someone is able
+    to guess correctly the email address used by a previously approved author,
+    they will be able to have their new comment auto-approved.
+
 purge-after
    remove unprocessed comments in moderation queue after given time.

--- a/isso/db/comments.py
+++ b/isso/db/comments.py
@ -81,6 +81,25 @@ class Comments:
            '    mode=1',
            'WHERE id=? AND mode=2'], (id, ))

+    def is_previously_approved_author(self, email):
+        """
+        Search for previously activated comments with this author email.
+        """
+
+        # if the user has not entered email, email is None, in which case we can't check if they have previous comments
+        if email is not None:
+            # search for any activated comments within the last 6 months by email
+            # this SQL should be one of the fastest ways of doing this check
+            # https://stackoverflow.com/questions/18114458/fastest-way-to-determine-if-record-exists
+            rv = self.db.execute([
+                'SELECT CASE WHEN EXISTS(',
+                '    select * from comments where email=? and mode=1 and ',
+                '    created > strftime("%s", DATETIME("now", "-6 month"))',
+                ') THEN 1 ELSE 0 END;'], (email,)).fetchone()
+            return rv[0] == 1
+        else:
+            return False
+
    def unsubscribe(self, email, id):
        """
        Turn off email notifications for replies to this comment.
--- a/isso/views/comments.py
+++ b/isso/views/comments.py
@ -132,6 +132,8 @@ class API(object):

        self.conf = isso.conf.section("general")
        self.moderated = isso.conf.getboolean("moderation", "enabled")
+        # this is similar to the wordpress setting "Comment author must have a previously approved comment"
+        self.approve_if_email_previously_approved = isso.conf.getboolean("moderation", "approve-if-email-previously-approved")

        self.guard = isso.db.guard
        self.threads = isso.db.threads
@ -294,6 +296,11 @@ class API(object):
            raise Forbidden(reason)

        with self.isso.lock:
+            # if email-based auto-moderation enabled, check for previously approved author
+            # right before approval.
+            if self.approve_if_email_previously_approved and self.comments.is_previously_approved_author(data['email']):
+                data['mode'] = 1
+
            rv = self.comments.add(uri, data)

        # notify extension, that the new comment has been successfully saved
--- a/share/isso.conf
+++ b/share/isso.conf
@ -71,6 +71,16 @@ password = please_choose_a_strong_password
 # them.
 enabled = false

+# with moderation enabled, automatically approve new comments by an
+# author if they've had comments approved within the last 6 months
+# Note: No verification is done on the email addresses entered by commenters.
+# This means that if someone is able to guess correctly the email address used
+# by a previously approved author, they will be able to have their new comment
+# auto-approved. For this reason, we recommend that you also activate SMTP
+# notification if you activate this option, so that you will see
+# auto-approved comments as they get posted.
+approve-if-email-previously-approved = false
+
 # remove unprocessed comments in moderation queue after given time.
 purge-after = 30d