Page MenuHomePhabricator
Differential D19774

Prevent users from voting for invalid Slowvote options
ClosedPublic
Actions

Authored by epriestley on Nov 5 2018, 6:23 PM.
Tags
None
Referenced Files
F15527029: D19774.id47233.diff
Tue, Apr 22, 12:12 AM
F15511339: D19774.id47240.diff
Thu, Apr 17, 1:35 AM
F15506272: D19774.id.diff
Tue, Apr 15, 9:51 AM
F15504672: D19774.diff
Mon, Apr 14, 7:42 PM
F15464819: D19774.id47233.diff
Wed, Apr 2, 12:51 PM
F15454547: D19774.diff
Sat, Mar 29, 7:02 PM
F15429229: D19774.id47233.diff
Mar 24 2025, 1:14 AM
F15399520: D19774.id47240.diff
Mar 17 2025, 4:59 AM
View All Files
Subscribers
None

Details

Reviewers
amckinley
Commits
rPd38e768ed877: Prevent users from voting for invalid Slowvote options
Summary

Depends on D19773. See https://hackerone.com/reports/434116. You can currently vote for invalid options by submitting, e.g., vote[]=12345.

By doing this, you can see the responses, which is sort of theoretically a security problem? This is definitely a bug, regardless.

Instead, only allow users to vote for options which are actually part of the poll.

Test Plan
  • Tried to vote for invalid options by editing the form to vote[]=12345 (got error).
  • Tried to vote for invalid options by editing the radio buttons on a plurality poll into checkboxes, checking multiple boxes, and submitting (got error).
  • Voted in approval and plurality polls the right way, from the main web UI and from the embed ({V...}) UI.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
src/
applications/
slowvote/
controller/
38 lines

Diff 47240

View Options

src/applications/slowvote/controller/PhabricatorSlowvoteVoteController.php

Loading...
Phabricator · Built by Phacility