I just released v1.0.9531 which corrected the caching issue that prevented anonymous visitors from commenting.
Simply put: the cache operates at the Factory layer, which moves objects in and out of the database. But security happens at the Service layer, which coordinates the factories and other services to generate the objects that the user interface layer displays to you.
The basic sequence for displaying a post is for the EventService to ask the EventFactory for a post. The EventFactory caches posts for about 3 minutes, which means there's a huge probability that the post is already in the cache. It then passes that post along with the current user's profile (or null in the case of anonymous users) to the AuthorizationService to see if the user can (a) see the post and (b) see unapproved and deleted comments. If the user can see the post but not unapproved comments, the EventService strips the comments off the post before giving it to the UI.
I forgot C# objects are passed by reference. Despite that being one of the most basic principles of the language, it slipped my mind. (Always have someone else read your code, folks!) So when the EventService stripped the comments from the object it was about to pass to the UI, it was stripping them from the exact same object that was in the cache. So for anonymous comments, the anonymous commenter's comments got removed from the blog post as the EventService was checking to see if the commenter had permission to leave a comment.
Anyway, that's fixed now. And I'm actually pleased with myself that I at least got the security correct: better to display no data at all than to display data the user isn't authorized to see.
Not 10 seconds after deploying that fix, I discovered that a rude search bot was able to generate a ton of error messages just by trying to get a list of posts with the same tag on them. I've patched that temporarily while I refactor how tagged posts are displayed.
The fun never stops.
Copyright ©2026 Inner Drive Technology. Donate!