From 2e8cb81179209a6921f58f13c4d5aa002e5a1fb6 Mon Sep 17 00:00:00 2001
From: "Charl P. Botha (X1E)" <cpbotha@vxlabs.com>
Date: Sat, 7 Dec 2019 18:28:51 +0000
Subject: [PATCH] Add a approve-if-email-previously-approved setting.

Automatically approve comments by an email address if that address has
had a comment approved within the last 6 months. No ownership verification
is done on the entered email address. This means that if someone is able
to guess correctly the email address used by a previously approved author,
they will be able to have their new comment auto-approved.
---
 docs/docs/configuration/server.rst |  8 ++++++++
 isso/db/comments.py                | 19 +++++++++++++++++++
 isso/views/comments.py             |  7 +++++++
 share/isso.conf                    | 10 ++++++++++
 4 files changed, 44 insertions(+)

diff --git a/docs/docs/configuration/server.rst b/docs/docs/configuration/server.rst
index 823d2ed..9a70ca6 100644
--- a/docs/docs/configuration/server.rst
+++ b/docs/docs/configuration/server.rst
@@ -124,6 +124,7 @@ Enable moderation queue and handling of comments still in moderation queue
 
     [moderation]
     enabled = false
+    approve-if-email-previously-approved = false
     purge-after = 30d
 
 enabled
@@ -131,6 +132,13 @@ enabled
     Comments in moderation queue are not visible to other users until you
     activate them.
 
+approve-if-email-previously-approved
+    automatically approve comments by an email address if that address has
+    had a comment approved within the last 6 months. No ownership verification
+    is done on the entered email address. This means that if someone is able
+    to guess correctly the email address used by a previously approved author,
+    they will be able to have their new comment auto-approved.
+
 purge-after
     remove unprocessed comments in moderation queue after given time.
 
diff --git a/isso/db/comments.py b/isso/db/comments.py
index f9575b2..ac39e3f 100644
--- a/isso/db/comments.py
+++ b/isso/db/comments.py
@@ -81,6 +81,25 @@ class Comments:
             '    mode=1',
             'WHERE id=? AND mode=2'], (id, ))
 
+    def is_previously_approved_author(self, email):
+        """
+        Search for previously activated comments with this author email.
+        """
+
+        # if the user has not entered email, email is None, in which case we can't check if they have previous comments
+        if email is not None:
+            # search for any activated comments within the last 6 months by email
+            # this SQL should be one of the fastest ways of doing this check
+            # https://stackoverflow.com/questions/18114458/fastest-way-to-determine-if-record-exists
+            rv = self.db.execute([
+                'SELECT CASE WHEN EXISTS(',
+                '    select * from comments where email=? and mode=1 and ',
+                '    created > strftime("%s", DATETIME("now", "-6 month"))',
+                ') THEN 1 ELSE 0 END;'], (email,)).fetchone()
+            return rv[0] == 1
+        else:
+            return False
+
     def unsubscribe(self, email, id):
         """
         Turn off email notifications for replies to this comment.
diff --git a/isso/views/comments.py b/isso/views/comments.py
index 8db7477..c7954a8 100644
--- a/isso/views/comments.py
+++ b/isso/views/comments.py
@@ -132,6 +132,8 @@ class API(object):
 
         self.conf = isso.conf.section("general")
         self.moderated = isso.conf.getboolean("moderation", "enabled")
+        # this is similar to the wordpress setting "Comment author must have a previously approved comment"
+        self.approve_if_email_previously_approved = isso.conf.getboolean("moderation", "approve-if-email-previously-approved")
 
         self.guard = isso.db.guard
         self.threads = isso.db.threads
@@ -294,6 +296,11 @@ class API(object):
             raise Forbidden(reason)
 
         with self.isso.lock:
+            # if email-based auto-moderation enabled, check for previously approved author
+            # right before approval.
+            if self.approve_if_email_previously_approved and self.comments.is_previously_approved_author(data['email']):
+                data['mode'] = 1
+
             rv = self.comments.add(uri, data)
 
         # notify extension, that the new comment has been successfully saved
diff --git a/share/isso.conf b/share/isso.conf
index 05660a8..1761580 100644
--- a/share/isso.conf
+++ b/share/isso.conf
@@ -71,6 +71,16 @@ password = please_choose_a_strong_password
 # them.
 enabled = false
 
+# with moderation enabled, automatically approve new comments by an
+# author if they've had comments approved within the last 6 months
+# Note: No verification is done on the email addresses entered by commenters.
+# This means that if someone is able to guess correctly the email address used
+# by a previously approved author, they will be able to have their new comment
+# auto-approved. For this reason, we recommend that you also activate SMTP
+# notification if you activate this option, so that you will see
+# auto-approved comments as they get posted.
+approve-if-email-previously-approved = false
+
 # remove unprocessed comments in moderation queue after given time.
 purge-after = 30d