XML-RPC anonymous comments wordpress.com

  • Author
  • #445521

    Original poster

    I have done tons of research today, but apparently I’m just not getting the right answer. Today is my first day using XML-RPC. Piece of cake.

    I was able to do a Trackback, a PingBack, and various XML-RPC calls with different APIs to my blog. The one thing that I cannot seem to be able to do is add an anonymous comment to my blog remotely.

    I have seen where other people have asked this question, and Jonathan has said that it was covered in the XML-RPC API. Basically, mentioning that if you leave the username and password blank, it will work…..It doesn’t. At least not in my case. I always get:

    faultCode 403 faultString Bad login/pass combination.

    Here is the request I’m sending:

    $request = '
    <?xml version="1.0" encoding="utf-8"?>
    					<value><string>(email visible only to moderators and staff)</string></value>


    If I have a username and password in there…it works perfect. The only problem is, it shows “me” as the poster, whereas I want to allow people to post comments to my blog from my other website as well and have “their” name show up as the poster.

    As already mentioned, if I take the username and password out….no dice.

    The blog I need help with is: allebrum.wordpress.com


    Original poster

    Also, I wanted to mention before someone posts on here….Apparently, there is a way to enable_anonymous_xml_rpc…or something to that affect, if I was running Word Press on my own server.

    This is not the case, and not an option for me.

    And if someone says that it is a security issue….well, seems like trackbacks wouldn’t be allowed either. At least with this, you can make the user put in their email address and a name.

    This is an important feature to have if it is not already enabled.



    Wow, that’s a lot. Um…to be honest, based on that type of question, you will probably have much more success if you ask the wp-hackers mailing list: http://lists.automattic.com/mailman/listinfo/wp-hackers. Anyway, I don’t have an answer, but good luck finding one.


    Check out this line from the wp_newComment function in xmlrpc.php:

    $allow_anon = apply_filters('xmlrpc_allow_anonymous_comments', false);

    By default WordPress doesn’t allow anonymous comments to be posted via XML-RPC. If you really want to do that you can add a plugin that adds a filter for xmlrpc_allow_anonymous_comments to set it to TRUE.

    Update – Sorry, I totally missed this was specifically asking about doing this on WordPress.com. WordPress.com does not allow anonymous comments via XML-RPC and isn’t likely to ever turn it on.


    Original poster

    Heh, I need to revise my post above to say “Joseph” and not “Jonathan”. I knew your name started with a J. :)

    I did see your post on this somewhere else. As mentioned though, I am on wordpress.com….which does not allow this functionality as noted in the first paragraph here: http://en.support.wordpress.com/plugins/

    Any chance that this functionality can be added….perhaps as a checkbox option under the Discussion Section.



    No chance of us supporting that on WordPress.com. Sorry, but it’s a gold-plated invitation to spammers.


    Original poster


    What you are saying doesn’t make any sense. If I was a spammer, I would say forget comments, and just post a bunch of trackbacks…..which can be done without authentication. Someone on wp-hackers said, “Well, trackbacks are suppose to be automated”.

    My response to that was, “Saying that spammers won’t use trackbacks for spamming just because they aren’t ‘suppose’ to be used that way, is like telling assuming a thief won’t break in through a window because they are doors.”

    To say that you won’t allow remote comments because some policy says that’s unsafe and opens the door for spammers, but yet you allow trackbacks which provides the exact same functionality, is hypocritical.

    Please revise your guys’ policy to include anonymous comments via XML-RPC. This should at least be an option in the Administration for people who would like to use this feature.

    At the end of the day, if you continue to stick with your idealogy, would you be willing to perhaps revisit the way you handle authenticated XML-RPC comment posts? And instead of just asumming that the person that is “logged” in, is the actual poster…allow for the specification of someone to be posting.

    Example…This whole topic got started because I have a website that I read my wordpress blog into. I want people to be able to comment from my site and have it show up on my wordpress blog. I maintain the backend coding, so it would be not big deal to authenticate with my username and password, and just pop in the posters name and “email?” into the XML Post to wordpress.

    I would be happy to visit this topic with you guys in detail and help out with the PHP code to allow for such a feature. Doing this would not induce any security risk since the owner (or adminstrator) or the blog still has to authenticate themselves before allowing their guests to post remotely.

    This functionality could be used from University campuses, where perhaps students want to post on their University’s blog. The university would authenticate the post, but the post would show as coming from the said student.


    You can already change comment field values with the wp.editComment method.


    Original poster

    what? I’m asking about adding comments. not editing them.



    As tellyworth has said, this is not something we will be adding.


    Original poster

    Okay, so can we revise the code a little to still allow authentication, but just handle the XML request differently and actually USE the author that is specified in the XML-RPC request?

    This would not introduce any of a security issue as I mentioned before because the administrator will still have to be authenticated him/herself.

    We would just have to change:

    if ( $logged_in ) {
    1274	                        $comment['comment_author'] = $wpdb->escape( $user->display_name );
    1275	                        $comment['comment_author_email'] = $wpdb->escape( $user->user_email );
    1276	                        $comment['comment_author_url'] = $wpdb->escape( $user->user_url );
    1277	                        $comment['user_ID'] = $user->ID;
    1278	                } else {
    1279	                        $comment['comment_author'] = '';
    1280	                        if ( isset($content_struct['author']) )
    1281	                                $comment['comment_author'] = $content_struct['author'];
    1283	                        $comment['comment_author_email'] = '';
    1284	                        if ( isset($content_struct['author_email']) )
    1285	                                $comment['comment_author_email'] = $content_struct['author_email'];
    1287	                        $comment['comment_author_url'] = '';
    1288	                        if ( isset($content_struct['author_url']) )
    1289	                                $comment['comment_author_url'] = $content_struct['author_url'];
    1291	                        $comment['user_ID'] = 0;
    1293	                        if ( get_option('require_name_email') ) {
    1294	                                if ( 6 > strlen($comment['comment_author_email']) || '' == $comment['comment_author'] )
    1295	                                        return new IXR_Error( 403, __( 'Comment author name and email are required' ) );
    1296	                                elseif ( !is_email($comment['comment_author_email']) )
    1297	                                        return new IXR_Error( 403, __( 'A valid email address is required' ) );
    1298	                        }
    1299	                }


    if ( $logged_in ) {
    	if ( isset($content_struct['author']) )
    		$comment['comment_author'] = $content_struct['author'];
    		$comment['comment_author'] = $wpdb->escape( $user->display_name );
    	if ( isset($content_struct['author_email']) )
    		$comment['comment_author_email'] = $content_struct['author_email'];
    		$comment['comment_author_email'] = $wpdb->escape( $user->user_email );
    	if ( isset($content_struct['author_url']) )
    		$comment['comment_author_url'] = $content_struct['author_url'];
    		$comment['comment_author_url'] = $wpdb->escape( $user->user_url );
    	$comment['user_ID'] = $user->ID;
    } else {
    	$comment['comment_author'] = '';
    	if ( isset($content_struct['author']) )
    		$comment['comment_author'] = $content_struct['author'];
    	$comment['comment_author_email'] = '';
    	if ( isset($content_struct['author_email']) )
    		$comment['comment_author_email'] = $content_struct['author_email'];
    	$comment['comment_author_url'] = '';
    	if ( isset($content_struct['author_url']) )
    		$comment['comment_author_url'] = $content_struct['author_url'];
    	$comment['user_ID'] = 0;
    	if ( get_option('require_name_email') ) {
    		if ( 6 > strlen($comment['comment_author_email']) || '' == $comment['comment_author'] )
    			return new IXR_Error( 403, __( 'Comment author name and email are required' ) );
    		elseif ( !is_email($comment['comment_author_email']) )
    			return new IXR_Error( 403, __( 'A valid email address is required' ) );

    This would just do a check inside of the “logged in”. And instead of just assuming that the person logged in is the person posting, we just do another check to handle the XML-RPC request.


    Original poster

    You said:

    I want people to be able to comment from my site and have it show up on my wordpress blog. I maintain the backend coding, so it would be not big deal to authenticate with my username and password, and just pop in the posters name and “email?” into the XML Post to wordpress.

    What I suggested is you create the comment as with an admin account and then edit the comment fields to match the “real” user with wp.editComment.

    If you really want to have anonymous comments turned on via XML-RPC you can do it on your own WordPress blog.


    Original poster

    Hmm, perhaps I am not explaining myself very well.

    I wouldn’t know who the poster is. They would be just some random person.

    Forget about anonymous comments with XML-RPC. After realizing that I wasn’t going to get anywhere with that, I am asking if you guys can just make the xmlrpc.php edit that I posted above.

    The only difference between what is currently on your system and what is in the code I posted above, is that the code above actually takes into account the author attributes in the XML-RPC request instead of just pretending like they never existed.

    As per WordPress Manual, these are valid fields:

    struct comment
    int comment_parent
    string content
    string author
    string author_url
    string author_email

    So, they should be handled correctly. If I specify a different author in the my request, the author should be handled in accordance with the documentation.

    Using the Code I posted above will solve this problem and make WordPress.com compliant with it’s own documentation in respect to this particular section.


    Original poster

    Original poster

    What I suggested is you create the comment as with an admin account and then edit the comment fields to match the “real” user with wp.editComment.

    I have not tried with wp.editComment to do this….but if you can do this, why can’t we just handle the original request properly?


    Original poster

    Joseph, heh I did realize what you meant about editing the post. So I retract my statement about “not knowing who the poster was”. I still have not tried this, but I would like to stick with my question above this post.


    The point of requiring users to be authenticated when leaving a comment via the XML-RPC API is to be reasonably sure of who is leaving the comment (obviously things outside of the control of WordPress are different issue here, like users sharing passwords).

    Your suggested change would allow any user to start posting as anyone else, including those who aren’t users of the blog. That defeats the core reason for authenticating them in the first place. This would also make the XML-RPC new comment method inconsistent with the rest of WordPress. When you leave a comment as a logged in user, WordPress doesn’t give you the option to change your information on that comment.

    As I mentioned someone with an admin account can essentially do this anyway, either via wp-admin or via the XML-RPC API. Since admin accounts can do pretty much anything that’s not really an issue. If you can’t trust an admin account then it’s game over anyway.

    If you really want to allow anonymous comments (either by authenticated users, or by anyone else) via XML-RPC you can do that with your own install of WordPress.

The topic ‘XML-RPC anonymous comments wordpress.com’ is closed to new replies.