--- modules/comment.module.orig 2005-08-07 22:34:45.000000000 -0400 +++ modules/comment.module 2005-08-07 22:37:56.000000000 -0400 @@ -320,6 +320,7 @@ $group = form_radios(t('Anonymous poster settings'), 'comment_anonymous', variable_get('comment_anonymous', 0), array(t('Anonymous posters may not enter their contact information'), t('Anonymous posters may leave their contact information'), t('Anonymous posters must leave their contact information')), t('This feature is only useful if you allow anonymous users to post comments. See the permissions page.', array('%url' => url('admin/access/permissions')))); $group .= form_radios(t('Comment subject field'), 'comment_subject_field', variable_get('comment_subject_field', 1), array(t('Disabled'), t('Enabled')), t('Can users provide a unique subject for their comments?')); $group .= form_radios(t('Preview comment'), 'comment_preview', variable_get('comment_preview', 1), array(t('Optional'), t('Required'))); + $group .= form_textfield(t('Private key'), 'comment_private_key', variable_get('comment_private_key', '') , 20, 40, t('If you require that comments on your site be previewed, optionally enter a private key to prevent comment spammers from bypassing the comment preview step. The actual text of your private key is not important and does not need to be memorized.')); $group .= form_radios(t('Location of comment submission form'), 'comment_form_location', variable_get('comment_form_location', 0), array(t('Display on separate page'), t('Display below post or comments'))); $output .= form_group(t('Comment posting settings'), $group); @@ -1425,13 +1426,15 @@ $form .= form_hidden('pid', $edit['pid']); $form .= form_hidden('nid', $edit['nid']); $form .= form_hidden('uid', $edit['uid']); + $token = md5($edit['pid'] . $edit['nid'] . variable_get('comment_private_key', '')); + $form .= form_hidden('token', $token); $form .= form_submit(t('Preview comment')); // Only show post button if preview is optional or if we are in preview mode. // We show the post button in preview mode even if there are form errors so that // optional form elements (e.g., captcha) can be updated in preview mode. - if (!variable_get('comment_preview', 1) || ($_POST['op'] == t('Preview comment')) || ($_POST['op'] == t('Post comment'))) { + if (!variable_get('comment_preview', 1) || (($_POST['op'] == t('Preview comment') || $_POST['op'] == t('Post comment')) && $edit['token'] == $token)) { $form .= form_submit(t('Post comment')); }