It does work if I’m logged in to the site. Howcome not when I’m not logged in? The description states for anonymous users…
Does the plugin set cookies? My site normally otherwise does not (I strive for that), but I see three domain cookies, with cryptic names.
Looking at the code, it seems to try to inspect a cookie “SimpleCommentEditing”, but I don’t see any such cookie )-:
The function generate_cookie_data() looks to be (trying to) set a cookie like this:
$cookie_name = ‘SimpleCommentEditing’ . $comment_id . $hash;
I expect that the editing would work if the cookie were there – but it’s not…
Sorry Ronald,
in fact the cookie is there – with a name like SimpleCommentEditing14210081828b22b637bf3bd24ca5b37d03d
I suppose I missed it as it’s only valid for 5 minutes 🙂
I have done some debugging and found the reason: My theme anonymises the stored IP address of the commenter, like this:
// Anonymize commenter IPs - this is non-negotiable :)
function pre_comment_anon_ip($address)
{
$packedAddress = inet_pton($address);
if (strlen($packedAddress) == 4) {
return inet_ntop($packedAddress & inet_pton('255.255.255.0'));
} elseif (strlen($packedAddress) == 16) {
return inet_ntop($packedAddress & inet_pton('ffff:ffff:ffff:ffff:0000:0000:0000:0000'));
} else {
return "127.0.0.1";
}
}
add_filter('pre_comment_user_ip', 'pre_comment_anon_ip');
Your cookie functions use the IP in the hash used in the cookie name – so they do not match.
I can think of at least 3 ways out of this:
- You stop putting the IP in the hash
- You use the above anonymising function on the hash, both times (would work for me)
- You provide an option to say if and how much anonymising should be done to mirror what someone else may be doing (would need “expert” users)
I really hope you find a good way through, as in the age of GDPR the anonymising is really important, to be able to avoid needing a cookie banner on the website.
Thanks in advance,
Tim
Things are often that much clearer after a nights sleep. The fix is easy. Insert this as line 1096:
$comment_author_ip = apply_filters( 'pre_comment_user_ip', $comment_author_ip );
I have tested it, works.
Would be very grateful if you could get a new version out soon, as my security plugin (WP Cerber) will now be complaining about a modified file every 6 hours…
Best,
Tim
Heya @tim-reeves
Sorry for not responding.
Would you be able to create a PR here?
https://github.com/MediaRon/simple-comment-editing
I’ll have to test this out pretty thoroughly. For the most part, the IP verification hasn’t been touched for quite some time.
Thanks,
Ronald Huereca
Hi @ronalfy
I’m not so fit with Github but I did try to make a PR – I don’t know if it worked.
But in fact we’re only talking about inserting one line of code… (see above).
On the one hand I understand about you being careful changing something long untouched. But on the other hand, if you really look at it the fix is obviously right and neccessary: We know that before storing the IP, WP will apply the filter (see above). So it’s only logical that if we need a match, we must also apply it before using the IP.
I suppose one could imagine that a truncated IP is not an exact match – but (a) little chance of someone with an IP in the same (truncated) address range adding a comment to a particluar website at the same time; and (b) there’s the cookie requirement anyway. So I really don’t see any problem. And it’s been working for me for a month now.
Currently I’m in the sad position that I have had to switch off auto-updates to the plugin (as I have an edited file in place), and also I don’t want to install it at client websites as it’s then too much work with the manual file update.
Would be very grateful if you could address the issue – many thanks!
Tim
@tim-reeves would adding am option and/or filter to enable it?
Hi Ronald,
yes, adding an option would be fine. Thanks!
Tim
@tim-reeves I merged the code in and will leave it turned on by default.
I added in a filter sce_pre_comment_user_ip that is true by default and will run the pre_comment_user_ip filter on every new comment.
I added the filter just in case someone needs to disable it. If there are any problems with editing, I’ll have to change the sce_pre_comment_user_ip to false and an option to turn it on. I don’t foresee this happening. If anything, it should make the comment editing more reliable.
Thanks for the PR and fix. I’ve attempted to credit you in the code as well as the readme. If you need further credit, please let me know.
Regards,
Ronald Huereca
Hi Ronald,
many thanks indeed for the fix – I confirm that it now works for me.
I didn’t do it for creds, but to support the work of both of us – but many thanks, appreciated.
Best for you,
Tim
