printf(Hello World!\n)
tech blog

views: 1138

Simple CMS comments

02-19-2022

The first version of the new CMS system is done, and I can already check a couple of things off of our design list:

Goals:

Adding new articles is as easy as creating a new .html doc (no header, body, html tags), throwing it into the right folder and updating a CSV to let the system know it's there. I do have to make sure that the filename is correct in the CSV, but I'd have to do that much anyway with a database.

If I were going to publish the CMS as it stands, I would still need to create a batch import script to help people move existing content over and write a README. Toying with the name "nerdPress" at the moment, but I'm not actually going to put it up on gitlab just yet. The system is still missing two key features that most site owners would want to have out of the box: comments and site analytics.

Doing comments without a database

Up to this point, none of the CMS system uses a database. Posting, editing, deleting, are all managed with filesystem commands. However, comments lend themselves very strongly to a database. A simple table takes care of everything you need:

comments table

id	post_id	response_to	date		author_name	content
1	10			20220217	Anonymous	"Hello, this blog rocks"
2	10	1		20220218	John Doe	"Actually, this blog sucks"
3	10	1		20220119	Janet Reno	"I agree, this blog is most excellent"

If I want to keep to the simple-and-straightforward design philosophy, I should install SQLite and get it over with. HOWEVER... if I view working without a database as a design constraint, perhaps I can come up with something that will be useful to people who, for whatever reason, absolutely refuse to have a database on their site.

Flat-file comments goals

I can create a comments subfolder for each post, put all comments into a single folder and parse them by filename, or even put all comments for a thread into a single file. Whatever I do, I want it to be intuitive to the site owner -- they should be easily able to find and delete a comment even if the CMS wasn't available to support them.

Security considerations

Doing a flat-file, command-line based CMS means that there are very few attack vectors for this site. Adding comments, however, means adding at least one webform that needs to be locked down carefully. User input is scary stuff. With no database, I don't have to worry about SQL-injection, but I will be letting users create new files on my webserver. I get to control file extensions, permissions and filenames, at least.

Two things I will need to add precautions against: spam and someone trying to fill up my server with lots of files. Withat javascript, I won't be able to rely on Google's captchas, and will have to roll my own anti-spam solution. I have a couple of ideas. And I can guard against comment-pocalypse with post limits, but there may be some other things I can try as well.

Anyway, this will be interesting. If you happen to come across my blog and have any ideas or suggestions for me, feel free to send me an email. Otherwise, I will hopefully have some sort of commenting system up for all of my articles in the semi-near future.