Confirming Discourse username when publishing posts from WordPress


#1

So so created another user and saw if I could post as anyone when using the wordpress blog to discourse topic feature.

Sure enough it shows as that user posting as whoever they say they are on discourse even tho they aren’t they user (when you set up your discourse namr in wordpress profile)


WP Discourse plugin installation and setup
(Simon Cossar) #2

Yes, with the Admin API key you can post as any user.

You can work around this by enabling the Do Not Display Discourse Name Field on the Publishing settings tab. Just enabling that setting on its own will cause all posts to be published under the name you have set as the Publishing Username. If you also enable the SSO Client option, users who login through Discourse will have their Discourse username automatically set.

If you are using WordPress as the SSO Provider and enable the Create or Sync Discourse Users on Login option, Discourse usernames will be automatically set.

For the case where multiple authors are intentionally publishing posts under a single username, there is a warning message appearing on the new post page that needs to be removed.


#3

But the thing is it leads to impersonation probability. The user can post as system, or a bot, or anyone, they can even pin topics.

Not sure if you thought about that or if Im missing something here but basically since I found this out Im gonna have to turn that feature off. Just thought id mention it, I didnt see anyone else mention this.

Even if you set people as a contributor (has to have post reviewed) they can still have there discourse name as whoever in their WP profile.

Any thoughts on this?


(Simon Cossar) #4

The assumption is that you trust your authors, but I’m realizing that this isn’t a valid assumption for all sites.

There should be an option to set what user roles the Publish to Discourse meta box is displayed for. For example, it could only be displayed for editors and admins.

Another possible approach would be for the plugin to take a list of usernames/User API Keys and only publish to Discourse under those names.

There is a small change that could be made to the code so that when the SSO Client option is enabled, only users who had set their Discourse Username by logging in through Discourse would be able to publish posts.

Not if you enable the Do Not Display Discourse Name Field option.