Comment Section Frontend Permissions


I’ve been working on a commenting system, following instructions from this (german) article

So far it’s been working great, it didn’t take a lot of work to make the code from the tutorial Kirby-3-ready. The comments are stored as YAML in a structure field and I’m using a page controller to update the field when the user clicks on submit in a basic html form. Now, the Idea is that any visitor should be able to leave comments without having to register. Locally on my mac this is working fine, but on a test server I get an error message (“you are not allowed to update [page]”), so today was the day I looked into user permissions for the first time.

I copied the editor permissions from the docs to /site/blueprints/users/visitor.yml (would this be the correct path?) but it didn’t work, so I set

$kirby = kirby();

in the page controller. This is doing the trick, but I’m unsure if there’d be any security implications with this method… How should I proceed? Why are user permissions via blueprint not working?

Thanks for your help! :blush:

I’m not totally sure if that’s the point, but have you tried it with visitor.yml?

yeah, i’ve tried that – “visitors.yml” as in my above post (now corrected) was supposed to say “visitor.yml

…or, tried what? what exactly do you mean?

If any visitor without authentication is supposed to leave a comment, then having a role for visitors doesn’t really make sense. Impersonating the Kirby almighty user (or another user) is the way to go.

You might want to implement some sort of honeypot or captcha to prevent bots spamming your site with thousands of comments.


Thanks for the reply! Yeah, I’m currently looking into captcha. We’re thinking about implementing this only if bot comments turn out to be a major problem, or just after a certain period of time after the page has been created so old articles don’t have to be constantly monitored.