Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Current "questioner" field (i.e. name of the person asking the question) can be misused since, although it is pre-populated with $user->uid for logged-in users, this can be overtyped with any other name or valid uid. It is therefore easy to spoof questions coming from other users.
A better approach would be to prepopulate the field with $user->name (or $user->uid) for registered users and then set the field type to hidden, only keeping it visible to collect the name of anonymous users if allowed to ask questions.
In fact, perhaps we don't need questioner field at all, but rather collect the uid for registered users and an email address for non-registered users (which would be required for question notification to be introduced as suggested in http://drupal.org/node/130046).
Comments
Comment #1
tanoshimi CreditAttribution: tanoshimi commentedGoing to address this as part of a 2.x release.