utterances icon indicating copy to clipboard operation
utterances copied to clipboard
verified publisher icon utterance

Option to not display new comment form

Open WeixuanZ opened this issue 5 years ago • 9 comments

#355 Added optional argument form to the script tag.

If form=false, the new-comment-component is replaced by a button that links to the issue. 1

If the issue does not exist, an error message is displayed. 2

What it looks like: 3

WeixuanZ avatar Aug 01 '20 22:08 WeixuanZ

I would love to use this. Please consider for inclusion.

weitzman avatar Aug 04 '20 12:08 weitzman

good job

CCKNBC avatar Aug 13 '20 13:08 CCKNBC

hao can i use it

CCKNBC avatar Aug 13 '20 13:08 CCKNBC

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

jdanyow avatar Nov 14 '20 20:11 jdanyow

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

How long does it take for an issue to be created? Maybe the "link" to the issue can just create it if it does not exist. Or perhaps whenever someone visits the page, as it already checks anyway?

lenscas avatar Dec 26 '20 03:12 lenscas

Hi there,

I don't know if this is the best final solution, but the lack of a feature like this is the only thing that would keep me from using utterances.

Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future?

If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail).

Maintainers -- thanks for your patience in reading this and your hard work in producing something interesting and useful.

mmt avatar Jan 05 '21 06:01 mmt

@mmt responding to your questions:

Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future?

The app doesn't store any user information. No github user ids, no oauth tokens, nothing. When the OAuth token is issued it's encrypted on the Utterances server and sent to the client to be stored in local storage. When the client needs to post a comment it sends along the encrypted token which the Utterances service decrypts, calls the GitHub API, and then discards.

If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail).

The Utterances GitHub App only uses the "issues" permission. Read more about permissions in the github docs. The tldr; is signing into utterances results in a github oauth token that has permissions equivalent to the intersection of what the Utterances app can do (manage issues/comments on repos where it's installed) and what you can do. This essentially limits it to creating issues and posting comments where it's installed. I agree, "Act on your behalf" is pretty vague/scary, all I can do is assure you Utterances requests the least permissions possible and doesn't store your creds/information.

jdanyow avatar Jan 05 '21 07:01 jdanyow

@lenscas

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

When Utterances needs to create an issue it uses the @utterances-bot account. This ensures the first person to leave a comment doesn't own the whole thread.

jdanyow avatar Jan 05 '21 07:01 jdanyow

@lenscas

I do not plan to merge this. Enabling any user to create the GitHub issue would mean the first person to comment has control of the whole thread, could edit the issue title, unlinking the issue from the blog post.

That is already the case for pages without comments anyway, assuming no issue has been manually setup. (Unless I am missing something?)

When Utterances needs to create an issue it uses the @utterances-bot account. This ensures the first person to leave a comment doesn't own the whole thread.

yes, but right now someone can see that there are no comments, go to the correct repo and make an issue with the correct name.

lenscas avatar Jan 05 '21 08:01 lenscas