--- modules/comment.module.orig	2005-08-07 22:34:45.000000000 -0400
+++ modules/comment.module	2005-08-08 09:58:50.000000000 -0400
@@ -288,6 +288,16 @@
 }
 
 /**
+ * Implementation of hook_cron().
+ */
+function comment_cron() {
+  // private key used to enforce comment previews when required.
+  if (!variable_get('comment_private_key', '')) {
+    variable_set('comment_private_key', mt_rand());
+  }
+}
+
+/**
  * Implementation of hook_user().
  *
  * Provides signature customization for the user's comments.
@@ -1425,13 +1435,15 @@
   $form .= form_hidden('pid', $edit['pid']);
   $form .= form_hidden('nid', $edit['nid']);
   $form .= form_hidden('uid', $edit['uid']);
+  $token = md5($edit['pid'] . $edit['nid'] . variable_get('comment_private_key', ''));
+  $form .= form_hidden('token', $token);
 
   $form .= form_submit(t('Preview comment'));
 
   // Only show post button if preview is optional or if we are in preview mode.
   // We show the post button in preview mode even if there are form errors so that
   // optional form elements (e.g., captcha) can be updated in preview mode.
-  if (!variable_get('comment_preview', 1) || ($_POST['op'] == t('Preview comment')) || ($_POST['op'] == t('Post comment'))) {
+  if (!variable_get('comment_preview', 1) || (($_POST['op'] == t('Preview comment') || $_POST['op'] == t('Post comment')) && $edit['token'] == $token)) {
     $form .= form_submit(t('Post comment'));
   }