User-editable Comments, HTML Emails and Admin Quick-delete #4

merged 1 commit into from Jan 3, 2017


None yet

1 participant

kirsle commented Jan 3, 2017 edited

This makes various quality-of-life enhancements on the commenting system of Rophako:

User-editable Comments

Users can now be given a grace period where they're allowed to edit (or delete) their own comments added to the site.

Session cookies are made long-lived (30 day window), and all commenting users are given a random "Comment Deletion Token" that is saved in their session (one is generated only when it doesn't already exist).

All comments created by that session will have the deletion token saved with their data as the token parameter. (Old comments won't have tokens, this is OK).

If a user views their comments within 2 hours of posting it (the default grace window), and their session Comment Deletion Token matches the stored comment's, they are shown the "Edit" and "Delete" links along with a small notice that they posted the comment recently. (The notice takes the place of the admin's view where it shows the IP address of the commenter).

The "Edit" and "Delete" functionality on a comment can be used if the tokens of the end user match and the comment is still new. Site admins can always edit or delete comments as before.

HTML Emails

All e-mails sent from the Rophako CMS will now have HTML and plain text variants.

The HTML email template is named, so site owners can change the layout by creating their own template.

E-mail bodies are now treated as Markdown text: the HTML version of the e-mail renders the Markdown into HTML, and the plain text version uses the text as-is.

This allows for clickable links in all e-mail clients, and rendering of Markdown text in comments.

Quick Delete

To help delete spam comments as quickly as possible, the admin copy of the notification e-mail for new comments will include a Quick Delete link. This is a one-click deletion of the comment that doesn't require the user to be logged in.

How it works: I use itsdangerous to sign the comment details using the site's secret key (Flask uses itsdangerous in the same way for its session cookies). This makes the "Quick Delete Token" hard to predict and impossible to forge by end users.

Misc Fixes

This also fixes the Comment Preview page for logged-in users. Previously, their name would show as "Anonymous" and the default avatar was shown. Now it uses their real name and user avatar.

@kirsle kirsle merged commit 84d5b4a into master Jan 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment