Allow comments by replying to email notification

[alexbayleaf]

Title:
Allow comments by replying to email notification

Area:
email, comments

Summary:
Use the same mechanisms used for post-by-email to allow comment-by-email. That is, comments by email should only be allowed from your registered address(es), and you should have to enter a PIN.

Description:
Currently DW allows post-by-email (http://www.dreamwidth.org/manage/emailpost) but doesn't allow you to reply to comments by email. This proposal adds commenting while avoiding some of the security problems that Livejournal (allegedly?) has with their reply-form-in-the-email solution.

Basically, we just add an option to the "mobile post settings" saying "Also allow comments by email". When commenting by email, you would have to put the PIN in the text of the comment. We could specify eg. that it should be the first line of the comment:

PIN: blahblah

A simple regexp should be able to strip PINs from comments and then check them against the user's actual PIN and make sure it's the right one.

The comment notification email should include a message to the effect of "Want to reply via email? Set it up here." (if you aren't registered for email replies) or, "To reply by email, simply reply to this message and include your PIN as described here" (with a link to the help or whatever).

Poll #12343 Allow comments by replying to email notification

Open to: Registered Users, detailed results viewable to: All, participants: 48

View Respondents

This suggestion:

View Answers

Should be implemented as-is.
28 (58.3%)

Should be implemented with changes. (please comment)
1 (2.1%)

Shouldn't be implemented.
1 (2.1%)

(I have no opinion)
17 (35.4%)

(Other: please comment)
1 (2.1%)

Comments

[azurelunatic]

I believe I last tested the unintended effects of the LJ email notification reply forms in 2010.

[swaldman]

Just to be clear - this is suggesting actually sending an email to reply to comments, rather than using a HTML form in the notification email? Presumably the comment that it is a reply to would be encoded in the email address?

[alexbayleaf]

Yup, replying by email, not by form. And yes to encoding the comment you're replying to -- an email address like commentreply+4356789@whatever might do the job.

[swaldman]

Thanks for the clarification. Sounds good to me! (so long as I'm not the one to implement it. The email-posting stuff is gnarly ;-))

[green_knight]

That definitely sounds like a premium paid feature and might tempt one or the other user to upgrade. Me, for instance.

I don't know whether it is feasible. I know that it would make life easier for people on mobile devices (or simply travelling) who might have access to email but for whom replying on a page is too much hassle.

[fu]

I like the idea of being able to reply via email, but against using a PIN, because of the potential risk of exposing your PIN if you typo or forget the exact syntax.


An alternative -- when you post via comment form, you have a server-generated auth hash unique for each entry/comment you're replying to. Hypothetically, we could use this in the reply-to address. That way, if someone spoofed your email address (which isn't hard to do, yeah), they still wouldn't be able to post freely as you. Bonus: when you hit reply, you wouldn't need to worry about entering an additional thing .

One thing I'd be worried about is exposing the reply-to address if you forwarded the comment notification to someone else. I don't think any of my email clients have ever done this, but I don't know enough to know if any do, and if it's rare enough to be an acceptable risk.