Forum OpenACS Q&A: Anonymous postings to forums

Collapse
Posted by mark dalrymple on
Greetings,

I've got Openacs 4.6.1, and I'm wanting to allow folks to be able to post to forums anonymously (like the Anonymous Coward on slashdot).  Adding permissions to "The Public" (user zero), and tweaking a couple of permission lines in tcl files got it mostly working.  One thing in the forums data model is a not-null reference to users, and there isn't a users.user_id of zero.  I added one manually in psql (insert into parties, persons, users) and things Seem To Work, but I'm worried about some subtle brokeness now introduced into the system and possiblly adding a security hole.  Is this the Best Way to add anonymous posting to fourms?

Collapse
Posted by Rocael Hernández Rizzardini on
Maybe is worth to think in other path, just an autologin for user as "Anonymous Coward", and that user has not way to edit its own data, in other words, no workspace. So you can have it for forums without dealing to change it but also with whatever other package you migth use.
Collapse
Posted by Don Baccus on
Currently party 0 is named "Unregistered Visitor".  I thought about making it a user for exactly this reason, i.e. allowing for anonymous postings.

I didn't do it at the time because I didn't have time to work out details such as those mentioned by Rocael.  Can I block the user data page by permissions at install time or do I need to do extra work?  That kinda thang.  We obviously don't want to want everyone and his sister modifying a dummy user account.

Glad to hear things seem to work when you make party 0 a "real user" (you should change the object_type for acs_objects(0) to "user", too.)

If you have time to explore things further to see what's needed (if anything) to prevent non-logged-in users from mucking around the user info page etc that would be really cool.  If you can verify things are OK we can look into doing this for 5.0, especially if you provide patches for any tweaks you need to do.

You'd need to check the admin pages, too ... Unregistered Visitor shouldn't show up because it doesn't belong to Registered Users.  This is probably proper behavior (?)

The actual datamodel and upgrade scripts are trivial so these aren't big deals.  We just want to make sure things work logically before taking the plunge.

Collapse
Posted by Dave Bauer on
Don, I am pretty sure the "Unregistered Visitor" should not be part of registered users. You would not want that user to be granted any permissions except those which are granted to "The  Public."
This is probably also important for subsites. If we have one anonymous user, it would need to be anonymous the same way across subsites.