wordpress-activitypub icon indicating copy to clipboard operation
wordpress-activitypub copied to clipboard
verified publisher icon Automattic

Change state of comment back to moderation after comment got updated

Open jaschaurbach opened this issue 2 years ago • 5 comments

Quick summary

I just found out that after an already published comment from activitybub is changed the changed comment just is there without any oversight or chance to check it out before it is published now.

Anyone could put anything on my blog after a comment got approved and that is bad.

Steps to reproduce

  1. comment via Activitypub on an article
  2. waqit till comment is approved
  3. change comment
  4. See changed comment without further check by the site owner

What you expected to happen

I'd expect that the comment get back in moderations state.

What actually happened

The comment just changed,

Impact

All

Available workarounds?

No but the platform is still usable

Logs or notes

No response

jaschaurbach avatar Jan 05 '24 12:01 jaschaurbach

I consider this bug / missing feature a big moderation issue. As long as it's not fixed, I'm not using this (otherwise great) plugin.

Schoeneh avatar Jan 05 '24 12:01 Schoeneh

~~It looks like we could leverage the following hook to temporarily work around this:~~

https://github.com/Automattic/wordpress-activitypub/blob/4c297acfd454a13260900ff0f97a9e3f425e960c/includes/handler/class-update.php#L76

Except I'm not sure what the 2nd parameter even is? Why is it null? This seems to be the only time this action is called?

So, untested, but you could try putting something like this in a mu-plugin or your theme's functions.php?

add_action( 'activitypub_handled_update', function( $activity, $second_param, $state, $reaction ) {
	if ( $reaction  instanceof \WP_Comment ) {
		wp_set_comment_status( $reaction, 'hold' );
	}
}, 10, 4 );

Note that this wouldn't actually check if anything got changed (yet)!

Update: doesn't actually work because of what looks like another bug? See below.

janboddez avatar Jan 05 '24 14:01 janboddez

So, that didn't work.

In fact, this whole bit of code is kinda strange:

		$state    = Interactions::update_comment( $activity );
		$reaction = null;

		if ( $state && ! \is_wp_error( $reaction ) ) {
			$reaction = \get_comment( $state );
		}

		\do_action( 'activitypub_handled_update', $activity, null, $state, $reaction );

$reaction is literally set equal to null, so \get_comment( $state ); will never run.

~~But ... $state seems to actually be the comment! Let me edit my other response.~~ Edit: It isn't. I believe this is a(nother) bug! wp_update_comment() does not actually return a comment ID.

janboddez avatar Jan 05 '24 14:01 janboddez

OK, forget it.

https://github.com/Automattic/wordpress-activitypub/blob/4c297acfd454a13260900ff0f97a9e3f425e960c/includes/collection/class-interactions.php#L138

Doesn't actually return a comment. It returns 1 if the update was successful.

So think the bit of code above should be:

if ( $state && ! \is_wp_error( $state ) ) {
	$reaction = \get_comment( $state ); // Except that state is not actually a comment ID!
}

So you'd have to also update Interactions::update_comment() to return an actual comment ID.

So, one could again parse $activity and work off of that, or wait for this to be fixed.

janboddez avatar Jan 05 '24 14:01 janboddez

OK, so as of now the latest master allows to add something like the following to, e.g., functions.php:

add_action( 'activitypub_handled_update', function( $activity, $second_param, $state, $reaction ) {
	if ( $reaction instanceof \WP_Comment ) {
		wp_set_comment_status( $reaction, 'hold' );
	}
}, 99, 4 );

If a comment was successfully updated by the AP plugin, it will be put "on hold" again. Tested on my site.

I also think maybe this should be the default behavior.

Or that it should be the default behavior when WordPress is set up to manually approve (all) comments.

Or that it should respect that setting where you can auto-approve comments if a commenter has left more than two or so approved comments. So that "new" actors aren't allowed to auto-update but "sufficiently known" actors are.

For now, this works for me.

Note that on Mastodon, too, if someone on another server updates their reply, its copy on the server you're on will also be updated. The only form of moderation (other than outright blocking/silencing/etc.) is after the fact, when others report (harmful) posts.

Of course a personal site is something else than even a single-user user Mastodon instance. We've grown to expect less from social media moderation than from well-kept blogs.

janboddez avatar Jan 06 '24 12:01 janboddez

This issue is stale because it has been open 120 days with no activity. Remove stale label or comment or this will be closed in 5 days.

github-actions[bot] avatar May 06 '24 01:05 github-actions[bot]