Homestyx hydra
Diffusion hydra d38e768ed877

Prevent users from voting for invalid Slowvote options
d38e768ed877
Actions

Description

Prevent users from voting for invalid Slowvote options

Summary:
Depends on D19773. See https://hackerone.com/reports/434116. You can currently vote for invalid options by submitting, e.g., vote[]=12345.

By doing this, you can see the responses, which is sort of theoretically a security problem? This is definitely a bug, regardless.

Instead, only allow users to vote for options which are actually part of the poll.

Test Plan:

  • Tried to vote for invalid options by editing the form to vote[]=12345 (got error).
  • Tried to vote for invalid options by editing the radio buttons on a plurality poll into checkboxes, checking multiple boxes, and submitting (got error).
  • Voted in approval and plurality polls the right way, from the main web UI and from the embed ({V...}) UI.

Reviewers: amckinley

Reviewed By: amckinley

Differential Revision: https://secure.phabricator.com/D19774

Details

Provenance
epriestleyAuthored on Nov 5 2018, 1:19 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:5e1d94f33651: Remove nonfunctional AJAX embed behavior for Slowvote
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (1)

PathSize
src/
applications/
slowvote/
controller/

R1:d38e768ed877

View Options

src/applications/slowvote/controller/PhabricatorSlowvoteVoteController.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)