Good idea about salting the IPs; this is a very good starting point.

What if the unique post ID (e.g. #75uo9wwmclox) was a hash of the IP / time? This way we're not adding any non-RSS data to the XML, it'll be part of the URL instead.

Salting, and checking is then the difficult question. You don't want to include the username in the hash, since NNF allows you to use infinite different usernames. If we hash using the IP and time, we have something that is unique, only one part of the hash is known by the public (the time, not the IP) and we have the time saved so that we can re-hash from an IP to check against the ban.

That said, we can't store banned information in the RSS, because you'd have to parse every feed every time to look for it. There would need to be a banned.txt where the IPs were hashed in some way that was still private. We could store banned.txt in the users folder, which is protected, and just keep the IPs unhashed so that the admin has access to them and can manually manage the list if need be.

There would need to be a self-managing way for bans to last for 24-hours. The bans list could include a timestamp and then re-save itself whenever one has expired and gets removed.

It’s not useful to store IP with the user because the two are not necessarily related. Anybody could spam using a different username every post whilst on the same IP.

@Jose Pedro Arvela Yes, didn’t think of it that way. That’s actually a good idea, since it’s easy for NNF to look up the IP to ban based on an RSS item

Already tried that, it’s just not effective enough yet. Any individual admin can change the search engine themselves if they have a preference.

Note to self: Automatic state configuration is _hard_.

I've been working on the no-htaccess feature and it's seriously difficult. NNF has to function in a interchangeable mix of environments that combines auto-selected states:

1. With (reliable) or without (unreliable) htaccess +
2. Running in root (reliable), or in a sub-folder (unreliable)

These two are responsible for making URLs very complex to construct. After a lot of breakage, I've just about got it into order. clean URLs (+htaccess) are relative, but ugly URLs (-htaccess) are absolute, but the path (sub-forum) in pretty URLs includes the NNF root-folder (if not running in web-root), but ugly URLs don't: i.e. pretty: `/nnf/sub-forum/` ugly: `nnf/index.php?path=sub-forum/`.

Once I'd worked out a way to get the many varieties of input to my central `url` function to canonicalise pretty and ugly URLs to absolute URLs I then discovered the joy of Apache confusing threads with the same names as sub-forums. Turning DirecotrySlash off would fix this, but would then mandate that all links pointing to NNF when running in a sub-folder (e.g. `website.com/nnf/`) end in a slash otherwise you'd get a 403. That wasn't acceptable to me so I had to find a work-around.

By taking the pretty canonicalised absolute URL and stripping off the start of it that matches the location of the current page, we can turn the absolute URL into a relative URL without having to alter the caller's parameters. (One of the hardest aspects has been making all calls to `url` be the same, regardless of +htaccess, -htaccess, root or sub-folder)

I think I've overcome the biggest hurdles now and need to work on refactoring this solution a little and adding some more comments. To finish the feature we need to mandate the admin move the users folder into a private space when running without htaccess, otherwise all the passwords would be easily exposed.

We won't be making the IP visible, even to the site admin, just so as to be secure and not leak people's data; but you will be able to ban the IP by banning the username in the UI.

No-HTAccess support is not done yet, but it's nearing completion. A difficult hurdle to get over is the signin link needs to be crafted on every page, and that now requires knowing the path, file & page number which is different on index and thread pages. I could either make it ugly with more parameters, or make it odd and confusing by making these variables global.

@oldtimes Whilst IP banning can never be totally effective, I noted in the original NoNonsense Forum article (http://camendesign.com/forums) that other forums have all kinds of registration hurdles, CAPTCHAs and the like and *still* get spammed, so I am under no illusion that adding banning to NNF would ever solve the problem entirely, but it can solve _some_ problems (mainly automated spam bots).

I'll be using the REMOTE_ADDR HTTP header provided by Apache, I have no knowledge of IPV6 support, but I would expect that an IPV6 address would appear there when used.

Banning subnets and what not is a job for the site-admin and not NNF at this time. Initial support will be for single IP-banning for 24-hours / permanent.

Aha, excellent information Sir, thanks!

@WebDesigner

Hello, thanks for the feedback. Let me reply to each of these comments in turn:

“I think that everyone must be able to embed images and videos, and not only Mods!”

Simply far too dangerous. Any random spam bot could post images. There is also no flood control or fast enough methods for cleaning up spam. I will provide an option in the future to allow _members_ of a forum to post images, but not non-members. Therefore in your forum that you trust to be allowed to post images, you can make a member and they will be able to embed images, without having mod powers.

“As it is, the only window page title we get is only the name of the thread or the name of the Sub-Forum.”

Change `THEME_TITLE*` constants in your "theme.config.php", these specify the HTML titles, which you can append a prefix or suffix as you like.

“Also, I would like through "config.php" to be able to put any text [at the top] but I want it to appear in every page and not only on the main page.”

Modify the theme files, or create your own custom theme. Full instructions on themes, here: https://github.com/Kroc/NoNonsenseForum/wiki/How-to-Make-A-NoNonsense-Forum-Theme

“Last but not least, I would like a built-in search function to avoid Google.”

You may use any search engine you want, it doesn't have to be Google. Just modify the theme to use DuckDuck Go or Yahoo instead. Built-in search won't be happening for a while. Search is hard to do right and adds a _lot_ of code. I won't be doing it soon, and probably not without assistance.

“In some servers, when you put "www" before the web link, the link is not applied to the entire web address.”

This is a current bug, download the development version of NNF to fix this, the next official version will include the fix. https://github.com/Kroc/NoNonsenseForum/zipball/development

Hope this all helps.
Kind regards,

Kroc Camen.

“Although NoNonsense Forum supports unicode, If the thread title is written in a language that is not based upon latin characters, Hellenic (Greek) for example, the web address of the tread looks like this:

http://www.testforum.gr/__1”

This is fixed (depending on your server), in the development version. If you have PHP 5.4, Greek letters will be transliterated to a-z. If you don't have PHP 5.4 most accented letters will be transliterated, but not more complex scripts (Greek / Cyrillic / Hebrew &c.)

“But when I create a folder VIa CPanel on the server in order to create a sub forum, it appears normally”

This is because when a user creates a thread, they could attempt to hack by writing thread names (and therefore filenames) with specially crafted Unicode, and so for safety reasons, thread titles are restricted to a-z. When you create a folder on your server, you're a trusted person with admin access, so you can name it what you want.