JoshyPHP wrote:Pony99CA wrote:If you don't have permission to read the post that's linked to, so what?
It would leak information on posts that can't be read. It's not critical information but someone would eventually report it to a security database and it would have to be fixed.
What exactly would be leaked? If somebody else quoted it and I'm quoting them, I've already seen it. If I'm quoting it, I obviously can already see it.
Maybe I'm missing something, so please explain what scenario would leak information that I couldn't already see.
JoshyPHP wrote:Pony99CA wrote:I presume that nested quotes will be posted with all of the information already resolved, so we don't have to worry about those, right?
Why would you treat nested quotes differently though? If using user-submitted data for quotes is bad for the outermost quote, it should be bad for nested quotes as well.
Sorry, by "Nested" I meant existing quotes that I was quoting. I'm not referring to creating multiple levels of nested quotes myself -- those would all be "unresolved", of course.
JoshyPHP wrote:Pony99CA wrote:It's not always about what's simplest, but what's best for users.
I don't think that seeing those extra parameters is necessary for users, and could lead to mischief.
I believe that simplicity is what benefits users most directly. It's less code for bugs to creep in and unforeseen interactions to take place. I'm not worried about any abuse for two reasons. Firstly because it's already possible to set an arbitrary name as the quote author and link it to a profile, and secondly because that's what other forums do.
End user simplicity and amount of code is often a balancing act. A "Hello world" program is usually the simplest you can get, but it doesn't help the user at all (except to see that the computer can execute a program). And, of course, "user benefit" is also subjective.
I'm also not sure what you mean by "it's already possible to set an arbitrary name as the quote author and link it to a profile." If you mean in a quote, quotes don't link to profiles now, so they can't. If you mean that I can post that now in my post text (like this:
Pony99CA), sure, but it's a lot more work. I'd have to go to the user's profile, copy the URL, add long-form URL tags into my post, paste the link in, then type the user name that I wanted to spoof. With quoting your way, I'd just change the user's name or his ID (which I might have to retrieve, of course) in the BBCode.
Steve