Another Plus for the User-Reg Idea

Okay, so I’m pimping my arguments for a Weblog user registration system again, but I think I have good reason to be doing so.

Dave Shea is now using what he calls a reply legend.

First it checks if the comment author is me. If so, it returns the value “dave”. Next it checks for the list of ‘Important Voices’ and if there’s a match, returns “voce”. The troll/off-topic check basically won’t work unless I manually change a commenter’s URI in MT, so I don’t expect to use it a lot, but I want to see if it will prove useful. Finally, if there is no URI, the comment is considered semi-anonymous and “anon” is returned.

This is an interesting thing, but as Dave notes:

Low-tech, insecure, but hopefully managable. The easy way to game this system is to leave someone else’s URI instead of your own, but I’m counting on the magic of PageRank and the desire for overflow links to keep everyone honest. There’s absolutely nothing now (short of TypeKey) stopping one from spoofing another on anyone’s site, but the payoff is a tiny little bit more in this case. Obviously this won’t scale, and will probably break sooner than I’d expect, but for now it works.

I think that user security is a potentially huge issue:

Say I post comments on Alex King’s Weblog. I submit a name of “Geof”, an email of “gfmorris AT gfmorris DOT com”, and an url of “http://gfmorris.net/” with my comments. Alex comes to expect, after a time, that comments with that data triple are mine.

Say someone decides that they hate me and starts posting comments in my name. They haven’t hijacked my computer at all; they’re just posing as me. They appear to be me, and there’s nothing to verify that the comment is from me.

My friend Bryan often accuses me of being the one who “is unafraid to point at the elephant in the room that everyone’s ignoring”. I’d hate to have to pretend to be, oh, Matt Mullenweg to prove my point. [If I ever did intend to prove my point, I’d let that person know first, of course.]

[Nota bene: I have fixed previous character set issues. I apologize for the temporary problems. –GFM]

[Nota nota bene: Not only did I try to use BBCode rather than HTML elements in the previous revision of the note, I didn’t realize the true source of the charset problems–internal to WP itself. Sonofa. –GFM]

5 comments

  1. I’m not sure why, but you are getting some funky characters in your post. I think it’s when single and double quotes are used. It makes your post harder to read.

    Anyway, I’ve been kicking around the ideas of things to do if you have people log into your blog for comments. You could set up the blog to look one way based on your preferences as the default and then give users the option to change certain things around based on how they want to view your blog, and no, I’m not talking just style sheet switching. 🙂

  2. Matt, thanks for pointing that out. Oh, the joys of charsets…

    Your comment also points out one of the big problems about what I’m proposing–it’s so easy to think of user-reg as comments first-and-foremost. One could set stylesheets, opt to ignore certain categories of postings, be given privileges to see posts that aren’t displayed to the general public … anything where you take the Weblog format from one-to-many and back to more of a one-on-one format.

  3. About opting to ignore certain categories, using feeds creates it own issue with that. You would have to create feeds for each category, and then allow the person to subscribe to whatever ones they want, but “site news,” or whatever category you use for telling people about your site’s changes would have to be a “must subscribe to,” so people are at least aware of any site changes. Nothing like having a new category added that you want to know about and then not finding out about it. You would also have a feed with all the categories in it too.

  4. Yeah, a complicated environment would make that hard, except for the fact that WP generates its syndication feeds on the fly. The issue is, of course, user authentication in the URL to the feed, unless your users are comfortable in having a feed URL like http://ijsm.org/atom/mb/ as a public URL. [Authenticating with user/pass through an aggregator can be a cast-iron bitch, and unless Atom can support that—haven’t read the spec, don’t know offhand—you’re stewed.] Category-specific feeds are in the offing, and if you can filter based on category, I don’t know how much of a leap forward it is to basing it on user prefs.

  5. I’m just thinking of creating a feed for each of the sections and then one for all, and then letting the feed reader let you select what feeds you want, so it wouldn’t really be directly involved as part of the register/login system. I think that’s the easiest way of doing it.

Comments are closed.