Getting the WordPress TMAC and GASP Plugins to Play Nice

Two of the WordPress plugins I use on this site are Twitter Mentions as Comments and Growmap Anti Spambot Plugin. The first, TMAC, watches Twitter for any tweets that link to a post somewhere on this blog and submits those tweets as new comments on that particular post. GASP’s job is to keep spammers from submitting spammy comments by placing a Javascript-driven checkbox in the comment form. A user must check the box to confirm they are not a spambot before submitting their comment (you can see this in action if you leave a comment).

Both of these plugins are great and work really well on their own.

However, when both plugins are in use and TMAC submits a comment, GASP inspects the comment to see if the checkbox has been marked, finds that it hasn’t been, and silently rejects the comment. (Aside: the exception to this is if you are a logged-in user and you initiate a manual TMAC check, any new tweets will successfully pass through GASP).

Since GASP is just checking the HTTP POST variables to see if the box was marked, we can have TMAC tweak the POST variables in its favor when submiting a new comment. Ideally GASP would have filters/hooks throughout the code which would allow us to do this all within GASP but unfortunately there are no filters present.

I’m modifying the POST variables in my theme’s functions.php like so:

function tmac_gasp_workaround($posts)
{
    $_POST['gasp_checkbox'] = 'tmac_workaround';

    /* return $posts untouched */
    return $posts;
}
add_filter('tmac_mentions_check_posts', 'tmac_gasp_workaround');

The $posts argument is what the tmac_mentions_check_posts filter passes in. We return it unchanged. By creating the gasp_checkbox POST variable and setting it to an arbitrary value, GASP will now believe that a user marked the checkbox and the Twitter comments will be successfully posted.

I don’t believe this fix opens any sort of window for a spammer to get through GASP’s checks. The function above is only called during TMAC’s scheduled check for new tweets and that check is spawned by an asynchronous HTTP POST request that WordPress initiates to itself as users are browsing the site. The POST variable that’s being influenced above belongs to that async HTTP request and not any HTTP requests initiated by users (or spambots) so users must still mark the box for their comments to be posted.

Leave a Reply

Your email address will not be published. Required fields are marked *

Would you like to subscribe to email notification of new comments? You can also subscribe without commenting.