Commentedit: Edit comments some time after posting them

[onli]

I finished the prototype of a plugin which gives commenters the ability to edit their comment for a short time after it got posted - you probably know that functionality from wordpress.

I'm quite stunned it seems to work I need some of you to test this, and especially garvin to check if that's a secure approach. jQuery needs to be installed.

There are still some issues: There is no indicator of the remaining time, no indicator that the comment may be edited (simply click on it, it's inline-editing) and you are able to edit the html, which lead to some whiteline-issues in my tests. The timeout is set fix to 5 minutes, I'll add configuration if everything else works well.

Maybe someone has an idea how to (technically and graphically) design the indicators?
sincerely

[garvinhicking]

Hi!

Hey, that's a great effort.

I believe though that you should not need to start your own session; serendipity_config.inc.php already does so. Changing the session_name in your plugin isn't good, you should use the existing session name, or session data might get screwed up. s9y 1.5 for example sets his own session name.

You'll also need to raise the minimum version requirement to s9y 1.5, because the "comment_cid" won't work in older versions.

Could you explain me the CacheLite usage in detail? I don't really understand what it caches; if you store the data inside the session already, why cache it? The session itself is some sort of cache storage...but I'm sure I don't properly understand the concept yet

Best regards,
Garvin

[onli]

Hi Garvin
I'm not familiar with session-management. I thought that with naming, setting a timeout and starting a session if needed I handly this properly, and to that time I thought about storing data in the session. I wasn't aware that may collide with an existing session. May I simply read the session_id() without needing to do anything else? That'd be fine.

I changed the requirements, totally oversaw that.

I use CacheLite to save which session_id() belongs to which comment_id, and to save it for only five minutes. That way, I thought I can minmize the danger of having someone misuse this plugin to change the comment of someone else. In fact, I'm storing nothing in a session, I'm only reading the id.

I simply wasn't sure if it's safe to store something like that in a session and was more familiar with CacheLite. I'm perfectly fine with changing that if you think it's a safe way to go.
sincerely

[garvinhicking]

Hi!

Hi Garvin
I'm not familiar with session-management. I thought that with naming, setting a timeout and starting a session if needed I handly this properly, and to that time I thought about storing data in the session. I wasn't aware that may collide with an existing session. May I simply read the session_id() without needing to do anything else? That'd be fine.

Yes, that should do the trick already.

I use CacheLite to save which session_id() belongs to which comment_id, and to save it for only five minutes. That way, I thought I can minmize the danger of having someone misuse this plugin to change the comment of someone else. In fact, I'm storing nothing in a session, I'm only reading the id.

Maybe you should better store it in the session, because this is related to a single user only. If you use a global cache, it is both more overhead and probably even less secure because the cache might screw with the data of a user: If he submits his comments 2 seconds before the Cache of CacheLite is to be purged, his data would only be valid for 2 seconds and not for 5 minutes.

Keep it up, I'm sure this will be a plugin that could be useful to many people, as it's been asked for sometimes already. About the visual indicators I am a bit clueless, maybe YellowLED or Don or others could give their feedback?

Regards,
Garvin

[onli]

Do the session-managemant of php have an automatic to set a variable only for some minutes without destroying the whole session? I don't want to code this with time() and manual comparisons if possible.
sincerely

[garvinhicking]

Hi!

You could simply store the data like:

Code: Select all

$_SESSION['commentStore'][$cid] = time();

and later in the code, simply do a comparison if for the given cid the timestamp is > time()-300? I think that's the best way. PHP has no timelimit for session contents.

Regards,
Garvin

[onli]

A pity. But you're right, it works. Attached, as I hope that way ideas for the indicator are easier to test for someone else. We have Javascript and can use that on the comment, can ask the time via ajax, so it's really only about a graphical solution. YellowLed, ain't that something for you?
sincerely

[onli]

I now implemented a timer: via ajax the remaining time is fetched, and from that on updated via javascript. If the time is over, the comment-editability is disabled, so even without a refresh the user never should be in a situation in which he thinks that he may edit, but in reality his changes can't be saved.

Configuration is added, too. It's possible to set timeout and plugin-path. Ah, and I added a edit-link.

I think it's done (knowing that it's never done ). Garvin, do I have to take care somewhere manually that no harmful html is inserted, apply strip_tags before a frontend_view? That'd be very hard to accomplish, as we edit the html directly up till now.
sincerely

[garvinhicking]

Hi!

I think that looks quite promising and well. I would like to see that in Spartacus, do you want to commit it?

As long as you always use the s9y functions to display the comment, you can store any evil HTML you like in the comment; it is always cleared by the serendipity display option.

And if the user edits the comment to insert evil HTML for his own browser, there's nothing we can do for him. As long as it does not show up for other users, that's fine (and it won't show for others, due to the unique session id)...

Regards,
GArvin

[onli]

I uploaded it to spartacus. Not exactly the same version like the last .tar.gz, but with improvements to the indicator and frontend-translation, nothing substantial.

PS: Having this in spartacus before s9y 1.5 ain't too useful And because of the use of json_encode and decode, I changed the PHP-dependency to 5.2.0.

[Cowboy]

Howdy

This plugin is a grat idea, know that from Wordpress. But on my blog this plugin's not running. In the options I gave the complete plugin path incl. "http://" and set time limit to 12 hour (3600), but there appears no edit-link in the frontend...

I'm using s9y 1.5-alpha 2 with the "Brown Paper"-Theme.

Any hints?

[onli]

Hi
Is the Plugin still activated?

It is using the footer-event to add the javascript to the site which then adds the edit-link and so on. Does your template, your index.tpl, contain {serendipity_hookPlugin hook="frontend_footer"}? (Is this an unmodded brown paper theme? Then I could look myself).
sincerely

PS: The unit of the edit-time is in seconds.

[Cowboy]

Hi

The event hook exists in the theme, just looked for that. I put some buttons and credits into the footer, but the hook is still there.

PS: Sure, the unit is in seconds, thats why I set it to 3600, what is an hour When the plugin is running, I will set it to 5 minutes, 300 seconds.

[onli]

The 12 hours irritated me.

As far as I can see the logic of the comment-assignment is working fine. The problem seems to be, that the 'serendipity_event_commentedit.js' can't be found, the path "http://blog.cowboy-of-bottrop.de/plugin ... entedit.js" leads to the normal page instead of the javascript-file. Did you already try the default-value for the path, which should be '/plugins/serendipity_event_commentedit/' (depending on your setup)?

Edit: I just realized that the path is ok. The mistake was made by me, it seemed I forgot or it failed to add the serendipity_event_commentedit.js to spartacus. I will add it now, in two days it should be available, you could fetch it manually as soon as it's available at http://php-blog.cvs.sourceforge.net/vie ... mmentedit/ .
sincerely

[Cowboy]

Hey, that's great. I'll look for the missing JS file and put it into the plugin directory.
Thanks for your help