I'm requesting a high priority feature for Commerce Kickstart 2.x to prevent demo sites from becoming huge spam centers. I had a demo store that I used occasionally to test Commerce Kickstart 2.x functionality that was web accessible. I hadn't touched it in over a year when I noticed it had amassed 7 GB of data in the database from spam user accounts and comments on a single demo blog post.

There's an easy argument to make that I should've been watching the site better, but I wasn't (it was a throwaway demo that I had put online so folks could see product recommendations inside Kickstart 2.x), and there's no telling how many other sites like this are live out there. The default configuration allows anonymous users to register accounts and then post comments without approval on content, opening the door for their sites to become as horrid as mine.

We could solve this pretty easily by tweaking the default user registration setting and / or adjusting permissions so comments are only allowed by administrators.

Comments

lsolesen’s picture

I agree with the default user registration setting - and this could be done quickly.

About the comments - maybe we could add honeypot or something similar #2126491: Comments on blogs are open by default with no spam protection

lsolesen’s picture

lsolesen’s picture

Changing user register as suggested in the pull request stated above, will break this behavior for anonymous users. They will after "Create account" be redirected to the frontpage with this message "Thank you for applying for an account. Your account is currently pending approval by the site administrator.
In the meantime, a welcome message with further instructions has been sent to your e-mail address."

This is how it works at the moments before merging the pull request.

  @javascript
  Scenario: An anonymous user can create account during checkout
    When I press "Checkout"
    Then I should see "You need to be logged in to be able to checkout."
    Then I should see the heading "I don't have an account"
    When I click "Create an account"
    Then I should see the heading "Register"
    Given I fill in "Username" with random text
      And I fill in "E-mail address" with random email
    When I fill in "Password" with "myawesomepass"
      And I fill in "Confirm password" with "myawesomepass"
    And I press "Create new account"
    Then I should see "Registration successful. You are now logged in."
    Then I should see "Checkout"
    Then I should see the following <texts>
      | texts                           |
      | $8.00                           |
      | Coffee Mug 1                    |
      | Billing information             |
    When I select "United States" from "Country"
    Given I wait for AJAX loading to finish
    When I fill in the following:
      | Full name | My full name |
      | Address 1 | My address   |
      | City      | My city      |
      | ZIP Code  | 90120        |
    And I select "California" from "State"
    And I press "Continue to next step"
    # Just choose the default shipping method
    And I press "Continue to next step"
    Then I should see "Review order"
    # The default shipping method
    And I should see "Express shipping: 1 business day"
    # Order total
    And I should see "$23.00"
    When I fill in "4111111111111111" for "Card number"
    And I select "03" from "commerce_payment[payment_details][credit_card][exp_month]"
    And I select "24" from "commerce_payment[payment_details][credit_card][exp_year]"
    And I press "Continue to next step"
    Then I should see "Checkout complete"
    And I should see "Your order number is"
    And I should see "You can view your order on your account page when logged in"
    And I should see "Return to the front page"

What do we want to happen?

lsolesen’s picture

Status: Needs review » Needs work
lsolesen’s picture

The other suggestion is to disable comments for authenticated users:

  Background:
    Given I am on the homepage
    When I click "Blog"
    Then I should see the heading "Blog"

  Scenario: Comments should be closed for anonymous users
    When I click "Social Logins Made Simple"
    Then I should see the heading "Social Logins Made Simple"
    Then I should see "Log in or register to post comments"

However, then the above test will fail - and it is not shown on the blog post that it is possible to post anything?

As I see it, we have these options:

1) Make the decision about comments a part of the install process.
2) Introduce Honeypot https://drupal.org/project/honeypot

rszrama’s picture

Status: Needs work » Closed (outdated)

Commerce Kickstart 2.x is in minimal maintenance mode. Closing out all outdated tickets now to maintain focus on Commerce Kickstart 3.x.