comments icon indicating copy to clipboard operation
comments copied to clipboard

Published 20 hours ago verified publisher icon verbb

Guest can vote infinitely

Open maximeDore opened this issue 2 years ago • 2 comments

Describe the bug

When you are signed in your Craft account you can only vote once per comment. But whenever you are signed out and voting as a guest you can vote as many times as you like.

While I understand that managing a guest's vote permissions is hard and there might be ways to bypass it, the fact that you can just spam the vote button is a bit silly. Preventing this one thing might make it look less like a bug.

Steps to reproduce

  1. Sign out of Craft CMS
  2. Upvote an existing comment.
  3. Click as many times as you like

Craft CMS version

4.4.13

Plugin version

2.0.7

Multi-site?

Yes

Additional context

No response

maximeDore avatar Jun 09 '23 20:06 maximeDore

This is only possible if “Enable Guest Voting” is enabled, but I’m not sure how possible or feasible it is to track guests in some manner to detect whether they’ve voted or not. We can certainly introduce a form of session identifier, but all it takes is someone to create a new session to spam voting again.

engram-design avatar Jun 09 '23 20:06 engram-design

Merely preventing the opportunity for everyone to spam might be enough for this. It should prevents most of the potential spammers from doing so.

Like you said, if someone knows how to bypass the session, there's not much that can be done anyway

maximeDore avatar Jun 09 '23 21:06 maximeDore