www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.announce - Introducing Diskuto - an embeddable comment system

reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
So I was able to reserve the last two days to work on something new, and 
one thing that is currently rather lacking in the D/vibe.d web ecosystem 
is embedded commenting, be it for vibe.d's own blog engine [1]/[2] or 
for the DDOX based standard library documentation [3]. So I went ahead 
and created a little comment engine inspired by Disqus and Isso:

https://github.com/rejectedsoftware/diskuto (screenshot inside)
https://code.dlang.org/packages/diskuto

It has a similar tree based structure with user voting, doesn't require 
registration and a basic set of functionality works without JavaScript 
support.

Currently the only backend supported is MongoDB, but adding more is 
rather simple. Using NNTP as the target, as was discussed a few times in 
the past, is slightly tricky because editing and comment deletion needs 
to be supported. However, there is a limited time frame for those 
operations, so afterwards messages could be mirrored to a newsgroup 
safely (the other way around would of course always work).

Any comments suggestions and especially helping hands are highly 
appreciated!

[1]: https://github.com/rejectedsoftware/vibenews
[2]: https://vibed.org/blog/
[3]: https://dlang.org/library/
Mar 14 2017
next sibling parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 14.03.2017 um 12:17 schrieb Sönke Ludwig:
 So I was able to reserve the last two days to work on something new, and
 one thing that is currently rather lacking in the D/vibe.d web ecosystem
 is embedded commenting, be it for vibe.d's own blog engine [1]/[2] or
 for the DDOX based standard library documentation [3]. So I went ahead
 and created a little comment engine inspired by Disqus and Isso:

 https://github.com/rejectedsoftware/diskuto (screenshot inside)
 https://code.dlang.org/packages/diskuto

 It has a similar tree based structure with user voting, doesn't require
 registration and a basic set of functionality works without JavaScript
 support.

 Currently the only backend supported is MongoDB, but adding more is
 rather simple. Using NNTP as the target, as was discussed a few times in
 the past, is slightly tricky because editing and comment deletion needs
 to be supported. However, there is a limited time frame for those
 operations, so afterwards messages could be mirrored to a newsgroup
 safely (the other way around would of course always work).

 Any comments suggestions and especially helping hands are highly
 appreciated!

 [1]: https://github.com/rejectedsoftware/vibenews
 [2]: https://vibed.org/blog/
 [3]: https://dlang.org/library/
Started a temporary instance for hands-on testing: http://rejectedsoftware.com:10888/
Mar 14 2017
parent reply Faux Amis <faux amis.com> writes:
 Started a temporary instance for hands-on testing:
 http://rejectedsoftware.com:10888/
Updated I see ;)
Mar 14 2017
parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 14.03.2017 um 14:48 schrieb Faux Amis:
 Started a temporary instance for hands-on testing:
 http://rejectedsoftware.com:10888/
Updated I see ;)
Yeah, still tweaking a few things here and there. Very helpful to have people try out weird things ;) I'm just not sure how well that will work after someone posts this to Reddit.
Mar 14 2017
parent reply Azbuka <azbukapublic yahoo.com> writes:
On Tuesday, 14 March 2017 at 14:26:35 UTC, Sönke Ludwig wrote:
 Yeah, still tweaking a few things here and there. Very helpful 
 to have people try out weird things ;) I'm just not sure how 
 well that will work after someone posts this to Reddit.
My comment is most upvoted. Where can I get my medal? (Just runned a script, which makes POST requests to diskuto/up with id=<your comment id>)
Mar 14 2017
parent reply Daniel Kozak via Digitalmars-d-announce writes:
Dne 14.3.2017 v 20:17 Azbuka via Digitalmars-d-announce napsal(a):

 On Tuesday, 14 March 2017 at 14:26:35 UTC, Sönke Ludwig wrote:
 Yeah, still tweaking a few things here and there. Very helpful to 
 have people try out weird things ;) I'm just not sure how well that 
 will work after someone posts this to Reddit.
My comment is most upvoted. Where can I get my medal? (Just runned a script, which makes POST requests to diskuto/up with id=<your comment id>)
Sorry but I do not see it. Which one?
Mar 14 2017
parent reply Azbuka <azbukapublic yahoo.com> writes:
On Tuesday, 14 March 2017 at 19:39:08 UTC, Daniel Kozak wrote:

 Sorry but I do not see it. Which one?
Looks like it have been deleted. Okay, 2k upvotes is too much. I'll make it 100.
Mar 14 2017
next sibling parent Daniel Kozak via Digitalmars-d-announce writes:
Dne 14.3.2017 v 20:54 Azbuka via Digitalmars-d-announce napsal(a):

 On Tuesday, 14 March 2017 at 19:39:08 UTC, Daniel Kozak wrote:

 Sorry but I do not see it. Which one?
Looks like it have been deleted. Okay, 2k upvotes is too much. I'll make it 100.
Deleted :D
Mar 14 2017
prev sibling parent reply Daniel Kozak via Digitalmars-d-announce writes:
Dne 14.3.2017 v 20:54 Azbuka via Digitalmars-d-announce napsal(a):
 On Tuesday, 14 March 2017 at 19:39:08 UTC, Daniel Kozak wrote:

 Sorry but I do not see it. Which one?
Looks like it have been deleted. Okay, 2k upvotes is too much. I'll make it 100.
curl 'http://rejectedsoftware.com:10888/diskuto/delete' -H 'Origin: http://rejectedsoftware.com:10888' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: cs-CZ,cs;q=0.8' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144' -H 'Content-type: application/json' -H 'Accept: */*' -H 'Referer: http://rejectedsoftware.com:10888/' -H 'Cookie: vibe.session_id=QVwY1IGbGeELZw0v77w74RdDbQOKTheyQx8gi3HAQOWi6PTEQoRAxbUWUFmmLNq95FE nyZ1Og47SCeu5v6oog' -H 'Connection: keep-alive' --data-binary '{"id":"xxxxxxxxxxxxxxxxxxxxxxxx"}' --compressed
Mar 14 2017
parent reply =?UTF-8?B?U8O2bmtl?= Ludwig <sludwig outerproduct.org> writes:
On Tuesday, 14 March 2017 at 20:02:08 UTC, Daniel Kozak wrote:
 Dne 14.3.2017 v 20:54 Azbuka via Digitalmars-d-announce 
 napsal(a):
 On Tuesday, 14 March 2017 at 19:39:08 UTC, Daniel Kozak wrote:

 Sorry but I do not see it. Which one?
Looks like it have been deleted. Okay, 2k upvotes is too much. I'll make it 100.
curl 'http://rejectedsoftware.com:10888/diskuto/delete' -H 'Origin: http://rejectedsoftware.com:10888' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: cs-CZ,cs;q=0.8' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144' -H 'Content-type: application/json' -H 'Accept: */*' -H 'Referer: http://rejectedsoftware.com:10888/' -H 'Cookie: vibe.session_id=QVwY1IGbGeELZw0v77w74RdDbQOKTheyQx8gi3HAQOWi6PTEQoRAxbUWUFmmLNq95FE nyZ1Og47SCeu5v6oog' -H 'Connection: keep-alive' --data-binary '{"id":"xxxxxxxxxxxxxxxxxxxxxxxx"}' --compressed
Did you delete the comments yourself? The time limit for deletion/editing currently isn't enforced on the server (ticket already open), so anyone can delete their own tickets currently at any time. I've noted the other issues and will tackle those tomorrow.
Mar 14 2017
parent reply Daniel Kozak via Digitalmars-d-announce writes:
Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce napsal(a):
 On Tuesday, 14 March 2017 at 20:02:08 UTC, Daniel Kozak wrote:
 Dne 14.3.2017 v 20:54 Azbuka via Digitalmars-d-announce napsal(a):
 On Tuesday, 14 March 2017 at 19:39:08 UTC, Daniel Kozak wrote:

 Sorry but I do not see it. Which one?
Looks like it have been deleted. Okay, 2k upvotes is too much. I'll make it 100.
curl 'http://rejectedsoftware.com:10888/diskuto/delete' -H 'Origin: http://rejectedsoftware.com:10888' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: cs-CZ,cs;q=0.8' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 OPR/43.0.2442.1144' -H 'Content-type: application/json' -H 'Accept: */*' -H 'Referer: http://rejectedsoftware.com:10888/' -H 'Cookie: vibe.session_id=QVwY1IGbGeELZw0v77w74RdDbQOKTheyQx8gi3HAQOWi6PTEQoRAxbUWUFmmLNq95FE nyZ1Og47SCeu5v6oog' -H 'Connection: keep-alive' --data-binary '{"id":"xxxxxxxxxxxxxxxxxxxxxxxx"}' --compressed
Did you delete the comments yourself? The time limit for deletion/editing currently isn't enforced on the server (ticket already open), so anyone can delete their own tickets currently at any time. I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Mar 14 2017
parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 14.03.2017 um 21:56 schrieb Daniel Kozak via Digitalmars-d-announce:
 Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce napsal(a):
 Did you delete the comments yourself? The time limit for
 deletion/editing currently isn't enforced on the server (ticket
 already open), so anyone can delete their own tickets currently at any
 time.

 I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Okay, that was supposed to be implemented before 1.0.0, but then I forgot about it: https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
Mar 14 2017
parent reply cym13 <cpicard openmailbox.org> writes:
On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig wrote:
 Am 14.03.2017 um 21:56 schrieb Daniel Kozak via 
 Digitalmars-d-announce:
 Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce 
 napsal(a):
 Did you delete the comments yourself? The time limit for
 deletion/editing currently isn't enforced on the server 
 (ticket
 already open), so anyone can delete their own tickets 
 currently at any
 time.

 I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Okay, that was supposed to be implemented before 1.0.0, but then I forgot about it: https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
You'll also want a CSRF token for that, checking that the user is the author isn't enough.
Mar 17 2017
parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 17.03.2017 um 16:42 schrieb cym13:
 On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig wrote:
 Am 14.03.2017 um 21:56 schrieb Daniel Kozak via Digitalmars-d-announce:
 Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce napsal(a):
 Did you delete the comments yourself? The time limit for
 deletion/editing currently isn't enforced on the server (ticket
 already open), so anyone can delete their own tickets currently at any
 time.

 I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Okay, that was supposed to be implemented before 1.0.0, but then I forgot about it: https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
You'll also want a CSRF token for that, checking that the user is the author isn't enough.
True, I have that and some other standard measures planned, but for now I wanted to concentrate on getting the general functionality and layout done. On the "security" side, simple moderation and registered user support is now in but still needs some additions, and the spam filter integration still needs a little work. IMO, those are the most important things for the start, because realistically nobody is going to implement a CSRF attack against this in the foreseeable future, and even if, the impact would be extremely limited (since only posts of the last 15 minutes can be changed anyways).
Mar 17 2017
parent reply Suliman <evermind live.ru> writes:
On Friday, 17 March 2017 at 16:42:28 UTC, Sönke Ludwig wrote:
 Am 17.03.2017 um 16:42 schrieb cym13:
 On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig 
 wrote:
 Am 14.03.2017 um 21:56 schrieb Daniel Kozak via 
 Digitalmars-d-announce:
 Dne 14.3.2017 v 21:24 Sönke Ludwig via 
 Digitalmars-d-announce napsal(a):
 Did you delete the comments yourself? The time limit for
 deletion/editing currently isn't enforced on the server 
 (ticket
 already open), so anyone can delete their own tickets 
 currently at any
 time.

 I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Okay, that was supposed to be implemented before 1.0.0, but then I forgot about it: https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
You'll also want a CSRF token for that, checking that the user is the author isn't enough.
True, I have that and some other standard measures planned, but for now I wanted to concentrate on getting the general functionality and layout done. On the "security" side, simple moderation and registered user support is now in but still needs some additions, and the spam filter integration still needs a little work. IMO, those are the most important things for the start, because realistically nobody is going to implement a CSRF attack against this in the foreseeable future, and even if, the impact would be extremely limited (since only posts of the last 15 minutes can be changed anyways).
Please add oAuth with Google instead anti-spam. I really captcha end other stupid system where computer make decision enough am I human or no. Also auth with Telegram is very good thing. I think it would enough for 90% of users.
Mar 17 2017
parent =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 17.03.2017 um 18:30 schrieb Suliman:
 On Friday, 17 March 2017 at 16:42:28 UTC, Sönke Ludwig wrote:
 Am 17.03.2017 um 16:42 schrieb cym13:
 On Wednesday, 15 March 2017 at 02:14:34 UTC, Sönke Ludwig wrote:
 Am 14.03.2017 um 21:56 schrieb Daniel Kozak via Digitalmars-d-announce:
 Dne 14.3.2017 v 21:24 Sönke Ludwig via Digitalmars-d-announce
 napsal(a):
 Did you delete the comments yourself? The time limit for
 deletion/editing currently isn't enforced on the server (ticket
 already open), so anyone can delete their own tickets currently at
 any
 time.

 I've noted the other issues and will tackle those tomorrow.
I have deleted not only my comments, I can delete enyone comment
Okay, that was supposed to be implemented before 1.0.0, but then I forgot about it: https://github.com/rejectedsoftware/diskuto/blob/d8376f3e54a03574f69af13a0b41b5e994b6ce44/source/diskuto/web.d#L107
You'll also want a CSRF token for that, checking that the user is the author isn't enough.
True, I have that and some other standard measures planned, but for now I wanted to concentrate on getting the general functionality and layout done. On the "security" side, simple moderation and registered user support is now in but still needs some additions, and the spam filter integration still needs a little work. IMO, those are the most important things for the start, because realistically nobody is going to implement a CSRF attack against this in the foreseeable future, and even if, the impact would be extremely limited (since only posts of the last 15 minutes can be changed anyways).
Please add oAuth with Google instead anti-spam. I really captcha end other stupid system where computer make decision enough am I human or no. Also auth with Telegram is very good thing. I think it would enough for 90% of users.
The idea is to allow anonymous comments, at least if a site wants to support it, because that can often reduce the initial entry barrier considerably, even compared against a convenient OAuth login. But the idea is that all kinds of authentication mechanisms can be plugged in using the relatively trivial `DiskutoUserStore` interface. So anyone can use their favorite means. I'd of course accept pull requests to include a range of default options, but I'll probably not have the time to do that myself.
Mar 17 2017
prev sibling next sibling parent reply aberba <karabutaworld gmail.com> writes:
On Tuesday, 14 March 2017 at 11:17:57 UTC, Sönke Ludwig wrote:
 So I was able to reserve the last two days to work on something 
 new, and one thing that is currently rather lacking in the 
 D/vibe.d web ecosystem is embedded commenting, be it for 
 vibe.d's own blog engine [1]/[2] or for the DDOX based standard 
 library documentation [3]. So I went ahead and created a little 
 comment engine inspired by Disqus and Isso:

 [...]
How deep (levels) can it handle sub comments?
Mar 14 2017
parent =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 14.03.2017 um 20:09 schrieb aberba:
 On Tuesday, 14 March 2017 at 11:17:57 UTC, Sönke Ludwig wrote:
 So I was able to reserve the last two days to work on something new,
 and one thing that is currently rather lacking in the D/vibe.d web
 ecosystem is embedded commenting, be it for vibe.d's own blog engine
 [1]/[2] or for the DDOX based standard library documentation [3]. So I
 went ahead and created a little comment engine inspired by Disqus and
 Isso:

 [...]
How deep (levels) can it handle sub comments?
It's currently unlimited, but I guess that either a functional or a visual limit of some sort needs to be defined. I'd probably make that configurable, because the sweet spot depends on the intended purpose of the comment section - real discussions or mainly just answers+comments (StackOverflow) or comments+answers (blog).
Mar 14 2017
prev sibling next sibling parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Improvements implemented by now:

- Authorization and time limit (5min client facing, 15min server facing) 
is now enforced for editing and deleting comments
- The page must be queried first before any action is allowed (prevents 
trivial command line batch "attacks", as well as trivial spam automation)
- The main comment form is minimized by default (only the text area, 
single-line height)
- Maximum height of comments limited (will show scroll bars if exceeded)
- Temporal boosting limited to hours instead of days
- E-mail and website length limited
- Message contents don't overflow the content area
- Displayed comment count corrected

Some changes may require Ctrl+F5 to refresh the cache.

Thanks to everyone who helped testing the boundaries so far! This 
definitely sped up the initial finalization phase by a large margin. 
There are still some open points, but this gets close to being a 
complete product:

- Implement moderation (!) and user registration to avoid identity 
spoofing (pluggable source user database)
- Additional heuristics to prevent batch operations from a single 
client, possibly just showing a CAPTCHA for IPs that show a high 
frequency of operations on the same topic(s)
- Work out how to best limit the visual or functional nesting level of 
comments
- Translations to more languages
Mar 15 2017
parent reply aberba <karabutaworld gmail.com> writes:
On Wednesday, 15 March 2017 at 08:57:53 UTC, Sönke Ludwig wrote:
 Improvements implemented by now:

 - Authorization and time limit (5min client facing, 15min 
 server facing) is now enforced for editing and deleting comments
 - The page must be queried first before any action is allowed 
 (prevents trivial command line batch "attacks", as well as 
 trivial spam automation)
 - The main comment form is minimized by default (only the text 
 area, single-line height)
 - Maximum height of comments limited (will show scroll bars if 
 exceeded)
 - Temporal boosting limited to hours instead of days
 - E-mail and website length limited
 - Message contents don't overflow the content area
 - Displayed comment count corrected

 [...]
The load balancer you were working on. Was it intended to handle DDoS attacks and what is the current status.
Mar 15 2017
parent =?UTF-8?B?U8O2bmtl?= Ludwig <sludwig outerproduct.org> writes:
On Wednesday, 15 March 2017 at 10:40:31 UTC, aberba wrote:
 The load balancer you were working on. Was it intended to 
 handle DDoS attacks and what is the current status.
Being somewhat resistant to DDoS attacks is one of the secondary goals, but by the nature of it it would be very limited in what it can achieve there. A large scale cloud based approach is the only real solution. The project is currently on hold. I'd still like to finish it, but I had to resort to other solutions for the time being (lack of time).
Mar 15 2017
prev sibling next sibling parent =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Just implemented a visual overhaul - the "reply" buttons are gone and 
are replaced by the comment text box itself. This results in a less 
noisy page and one less click to make a reply.

Any opinions on replacing Disqus with this on http://dlang.org/library/?
Mar 15 2017
prev sibling next sibling parent reply "Nick Sabalausky (Abscissa)" <SeeWebsiteToContactMe semitwist.com> writes:
Nice. The only example code uses diet templates though, how would one 
embed this when not using diet?
Mar 15 2017
parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 15.03.2017 um 21:30 schrieb Nick Sabalausky (Abscissa):
 Nice. The only example code uses diet templates though, how would one
 embed this when not using diet?
I'll add two more examples - one using only JavaScript to embed the comments, which also works for non-D applications, and one using `compileDietHTMLFile`, writing the HTML directly to an output range.
Mar 16 2017
parent reply =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 16.03.2017 um 08:30 schrieb Sönke Ludwig:
 Am 15.03.2017 um 21:30 schrieb Nick Sabalausky (Abscissa):
 Nice. The only example code uses diet templates though, how would one
 embed this when not using diet?
I'll add two more examples - one using only JavaScript to embed the comments, which also works for non-D applications, and one using `compileDietHTMLFile`, writing the HTML directly to an output range.
The latest version now offers three embedding modes: https://github.com/rejectedsoftware/diskuto/tree/master/examples User accounts and simple moderation are also supported now. The embed-diet example shows how this can be plugged in.
Mar 16 2017
parent "Nick Sabalausky (Abscissa)" <SeeWebsiteToContactMe semitwist.com> writes:
On 03/16/2017 06:23 AM, Sönke Ludwig wrote:
 The latest version now offers three embedding modes:
 https://github.com/rejectedsoftware/diskuto/tree/master/examples

 User accounts and simple moderation are also supported now. The
 embed-diet example shows how this can be plugged in.
Nice. Very cool lib!
Mar 17 2017
prev sibling parent reply MrSmith <mrsmith33 yandex.ru> writes:
On Tuesday, 14 March 2017 at 11:17:57 UTC, Sönke Ludwig wrote:
 Any comments suggestions and especially helping hands are 
 highly appreciated!
Would be nice to undo/change votes. I accidentally clicked -1 and can't undo it.
Mar 19 2017
parent =?UTF-8?Q?S=c3=b6nke_Ludwig?= <sludwig outerproduct.org> writes:
Am 19.03.2017 um 12:13 schrieb MrSmith:
 On Tuesday, 14 March 2017 at 11:17:57 UTC, Sönke Ludwig wrote:
 Any comments suggestions and especially helping hands are highly
 appreciated!
Would be nice to undo/change votes. I accidentally clicked -1 and can't undo it.
Good point, I was a bit worried about this myself, and the fact that it directly occurred in practice suggests that this indeed needs to be improved.
Mar 21 2017