I'm requesting a high priority feature for Commerce Kickstart 2.x to prevent demo sites from becoming huge spam centers. I had a demo store that I used occasionally to test Commerce Kickstart 2.x functionality that was web accessible. I hadn't touched it in over a year when I noticed it had amassed 7 GB of data in the database from spam user accounts and comments on a single demo blog post.
There's an easy argument to make that I should've been watching the site better, but I wasn't (it was a throwaway demo that I had put online so folks could see product recommendations inside Kickstart 2.x), and there's no telling how many other sites like this are live out there. The default configuration allows anonymous users to register accounts and then post comments without approval on content, opening the door for their sites to become as horrid as mine.
We could solve this pretty easily by tweaking the default user registration setting and / or adjusting permissions so comments are only allowed by administrators.
Comments
Comment #1
lsolesen CreditAttribution: lsolesen commentedI agree with the default user registration setting - and this could be done quickly.
About the comments - maybe we could add honeypot or something similar #2126491: Comments on blogs are open by default with no spam protection
Comment #2
lsolesen CreditAttribution: lsolesen commentedhttps://github.com/commerceguys/commerce_kickstart/pull/48
Comment #3
lsolesen CreditAttribution: lsolesen commentedChanging user register as suggested in the pull request stated above, will break this behavior for anonymous users. They will after "Create account" be redirected to the frontpage with this message "Thank you for applying for an account. Your account is currently pending approval by the site administrator.
In the meantime, a welcome message with further instructions has been sent to your e-mail address."
This is how it works at the moments before merging the pull request.
What do we want to happen?
Comment #4
lsolesen CreditAttribution: lsolesen commentedComment #5
lsolesen CreditAttribution: lsolesen commentedThe other suggestion is to disable comments for authenticated users:
However, then the above test will fail - and it is not shown on the blog post that it is possible to post anything?
As I see it, we have these options:
1) Make the decision about comments a part of the install process.
2) Introduce Honeypot https://drupal.org/project/honeypot
Comment #6
rszrama CreditAttribution: rszrama at Centarro commentedCommerce Kickstart 2.x is in minimal maintenance mode. Closing out all outdated tickets now to maintain focus on Commerce Kickstart 3.x.