Open danirus opened 4 years ago
JanMalte
commented
1 year ago As far as I understand this is the COMMENTS_XTD_CONFIRM_EMAIL setting, right?
So this is already/now implemented and the issue could be closed.
https://django-comments-xtd.readthedocs.io/en/latest/settings.html#comments-xtd-confirm-email
danirus
commented
1 year ago Hi @JanMalte, the scenario above is different than the one of COMMENTS_XTD_CONFIRM_EMAIL.
Comment confirmation by email is enabled with that setting. But still someone could fill the comment form with spam, provide your email address and click on send. You would receive the comment confirmation email with the spam.
To eliminate such possibility I propose to invert the process: the application presents the user with a form with only one field: an email address (something like "To send a comment, it's required that you provide your email address for confirmation"). Then the user receives an email with a link to confirm the email address. When the user clicks on the link she is redirected to a page where she can write the comment. No further confirmation required.
JanMalte
commented
1 year ago Ok, thanks for the clarification.
The generated link should only be valid for a specific period (24h) I think. Would you agree?
Email confirmation requests can be used to send actual spam. The goal for the spammer is not to post spam comments in the webpage but to spam email addresses. The only requirement to reach the goal is a form where to post the target email address and the spamming message. People who didn't post any comment receive a message with the confirmation link address and the spam.
If django-comments-xtd could reverse the process, so that the commenting user had to confirm the email address first and then post the comment, the spammer would not be able to post anything. The user would receive an email with a specific link, clicked upon the user would land in the same page with the comment form ready for posting.
How does it sound?