Quick fix to prevent comment spam

jeffhare

Joined: 2007-09-21
Posts: 5
Posted: Tue, 2007-10-09 15:23

Our Geeklog Embedded photo gallery requires users to login to contribute and manage their own albums, but anyone can view them.

Problem: Some users didn't restrict comments to LOGGED-IN users, allowing spambots to spam some photos with porn comments.
Solution: Very Simple 1-line code fix to globally prevent anonymous (not logged in) viewers from adding comments.

You'd think an Administrator, while editing permissions, could just edit this single comment permission in the top level gallery album and apply for all sub-albums, unfortunately this unifies all child album props throughout the album tree, including ownership, who can add photos, etc. ...Not what I need at all...

To deal with this, a very simple patch was made to the "canAddComments" function in gallery/classes/User.php around line 276 which adds the requirement of a minimum of a LOGGED-IN user to post comments, even if the album accidentally permits EVERYONE to post comments.

For reference, the original canAddComments() method in gallery/classes/User.php around 276 is below:

    function canAddComments($album) {
        global $gallery;

        if($gallery->app->comments_enabled == 'no') {
            return false;
        }

        if ($this->isAdmin()) {
            return true;
        }

        if ($album->canAddComments($this->uid)) {
            return true;
        }

        return false;
    }

The patched method is below and surrounded by comments below:

    function canAddComments($album) {
        global $gallery;

        if($gallery->app->comments_enabled == 'no') {
            return false;
        }

        if ($this->isAdmin()) {
            return true;
        }

        // Added $this->isLoggedIn() check to prevent the "not logged in" 
        // anonymous user from posting comments, even if the album allows. 
        // Jeffrey A. Hare 2007-10-09  Gallery 1.5.7
        // --------------------------------------------------------------
        if ($album->canAddComments($this->uid) && $this->isLoggedIn()) {
            return true;
        }
        // --------------------------------------------------------------

        return false;
    }

To scan for spam comments, I simply use the search box and simply search for: @
This allows me to scroll through all the comments in the gallery.

Let me know if you found this solution useful.

-Jeff Hare

 
Tim_j
Tim_j's picture

Joined: 2002-08-15
Posts: 6818
Posted: Tue, 2007-10-09 16:53
jeffhare wrote:
....

You'd think an Administrator, while editing permissions, could just edit this single comment permission in the top level gallery album and apply for all sub-albums, unfortunately this unifies all child album props throughout the album tree, including ownership, who can add photos, etc. ...Not what I need at all...

-Jeff Hare

Hi Jeff,

first.. thanks for sharing this!
Second.. Do you have an idea for the userinterface to handle the problem i quoted from you?

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
jeffhare

Joined: 2007-09-21
Posts: 5
Posted: Tue, 2007-10-09 18:59

That's a question I've been wrestling with myself for years. The challenge is all about keeping the interface simple for the end gallery user. I'd like to be able to apply a minimum security template gallery wide though.

A form exactly like the permissions form (without the hierarchy checkbox) that lets an admin choose the minimum criteria/rule to globally apply for each permission might work just fine.

ie: for each kind of permission, be able to set a minimum user rule to:

Everyone, <<= unless album/photo restricts further, anyone can do/see this.
Logged-in, <<= unless album/photo restricts further, anyone logged-in can do/see this.
Owner, <<= unless album/photo restricts further, owners can do/see this.
Admin <<= unless album/photo restricts further, admins can do/see this.
NOBODY <<= to disable using that feature altogether?

I'd settle for a single gallery-wide minimum security level permission policy.

How might it work?
==================
If the Add Comments permission security RULE were set to LOGGED-IN as a minimum user for adding comments, anonymous people never see comment options but everyone else might depending on the album's settings.

If the owner changed the add comment setting to a list of her friends, then only those logged in friends would see comment options (like it is today).
On the other hand, the owner could still set it to NOBODY and hide comment options from everyone.

IMPLEMENTATION?
===============
It would seem like you should be able to follow an implementation strategy in the base User class similar to how I patched above. It would need to associate each permission with a class of user and test accordingly prior to calling the method in the derived class.

ie: isUserAllowed($some_permission) -> returns true if they are above the min. required user class level. This assumes that you can say: NOBODY, EVERYONE, LOGGED-IN, OWNER, ADMIN are in order of increasing permission authority.

Note that I spent less than 10 minutes total analyzing and patching in this comment spam solution (from the time I decided to do something about it), so there may be better ways of solving it. I really don't know the code at all. The fact that I figured this out so fast is a testament to the quality and structure of the product, not my skills. :)

Cheers!
-Jeff

 
bignellrp

Joined: 2008-03-21
Posts: 18
Posted: Fri, 2008-03-21 14:19

Is there now an easier way to prevent non 'logged in' users from commenting on your photos? I use gallery 1.5.6.

 
Tim_j
Tim_j's picture

Joined: 2002-08-15
Posts: 6818
Posted: Fri, 2008-03-21 14:50

Hello,

You need to upgrade to 1.5.7 and then disable commenting in the config

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
bignellrp

Joined: 2008-03-21
Posts: 18
Posted: Fri, 2008-03-21 14:59

Will that then allow ONLY 'logged in' users to comment on my photos?

Cheers

Tim_j wrote:
Hello,

You need to upgrade to 1.5.7 and then disable commenting in the config

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
Tim_j
Tim_j's picture

Joined: 2002-08-15
Posts: 6818
Posted: Fri, 2008-03-21 15:35

Hello,

This is a setting per album.

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
jeffhare

Joined: 2007-09-21
Posts: 5
Posted: Fri, 2008-03-21 16:36

This really begs the question...

"In today's climate of pervasive spam attacks, is there any good reason to permit just any anonymous user to add content in the form of comments or spam to your site by default??"

I'd venture an educated guess here that for the vast majority of Gallery Users, the right answer is no, and that the proper default behavior here should be less permissive.

I use Gallery embedded in a portal. The portal's membership can create/manage their own galleries. Out of our 1000+ members and 400+ photo albums over the past 3-4 years, not one of them ever managed to set their permissions properly, so I had to resolve this policy in software.

-Jeff

 
bignellrp

Joined: 2008-03-21
Posts: 18
Posted: Fri, 2008-03-21 16:44

I still dont see how i can only allow 'logged in' users to comment on my photos. I can see how to change voting to only allow logged in users to vote, but cant see the same option for comments. Please guide me to the correcet part of either the ablum properties or the global config where i can change this.

 
bignellrp

Joined: 2008-03-21
Posts: 18
Posted: Fri, 2008-03-21 17:07

Ok, i've figured it out per album. Its in the permission section of the album options. Now how to I change the default settings for all new albums. I.E only ever allow logged in users to add comments as default.

 
jeffhare

Joined: 2007-09-21
Posts: 5
Posted: Fri, 2008-03-21 17:15

Hello bignellrp,

The patch I listed above really boils down to adding the following extra test to the canAddComments function in file gallery/classes/User.php

Quote:

&& $this->isLoggedIn()

This function asks three questions, and returns true if comments can be added and false if they should not be permitted.
If you just want to disable commenting all together, just change the name of the old function to OLD_canAddComments and add this very simple replacement function instead:

Quote:
// Always say no when asked if someone can add comments to an album...
function canAddComments($album) {
return false;
}

 
Tim_j
Tim_j's picture

Joined: 2002-08-15
Posts: 6818
Posted: Fri, 2008-03-21 18:02

Defaults for new albums are set in the config in step3.

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
bignellrp

Joined: 2008-03-21
Posts: 18
Posted: Fri, 2008-03-21 18:51

The step you mention only allows you to change all the album options from EVERYBODY to LOGGED IN.

It doesn't allow you to change one option, such as comments to LOGGED IN and leave the other options to EVERYBODY. I think i'll have to try the hack from above.

Tim_j wrote:
Defaults for new albums are set in the config in step3.

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6

 
Tim_j
Tim_j's picture

Joined: 2002-08-15
Posts: 6818
Posted: Fri, 2008-03-21 22:46

You are right. Maybe i will enhance the permission dialog in the setup.

Apologies,

Jens
--
Last Gallery v1 Developer.
Tryout the TEST-Version of Gallery 1.6