If someone creates the username Guest, all hell breaks loose.
-
The "guest" itself is not an actual account, per se. We detect whether a guest is posting by looking at the post object and checking for a blank userslug.
e.g.
{ "pid": "1", "uid": "2", "tid": "1", "content": "<p>This was posted by a real account under the name "Guest"</p>\n", -✂- snip snip -✂- "user": { "username": "Guest", "userslug": "guest", "reputation": "0", "postcount": "1", "banned": false, "picture": "https://secure.gravatar.com/avatar/c5d5cc05e15e794cdf17459b53e7a793?size=128&default=identicon&rating=pg", "signature": "", "groups": [] }, -✂- snip snip -✂- }
vs.
{ "pid": "3", "uid": "0", "tid": "1", "content": "<p>Now I am posting as an actual guest.</p>\n", -✂- snip snip -✂- "user": { "username": "[[global:guest]]", "userslug": "", "reputation": 0, "postcount": "1", "banned": false, "picture": "https://secure.gravatar.com/avatar/d41d8cd98f00b204e9800998ecf8427e?size=128&default=identicon&rating=pg", "signature": "", "groups": [] }, -✂- snip snip -✂- }
-
Now, in hindsight, whoever implemented this checks specifically for the userslug by adding this in the template:
<!-- IF posts.user.userslug -->
Looking at it now, I believe this was done because our templating engine doesn't parse "0" correctly (interprets it as true), so we can't just check the poster's uid. (Guests have a uid of 0).
As it stands, it seems to be correctly handling the differentiation between a real guest and a user named "Guest". We also don't allow two users to share the same userslug.
We should update templates.js so that an integer uid is returned from
getPostData
, and interpreted correctly by templates.js... -
During account creation... if username guest, then have user choose new name. Shouldn't it be this simple? In theory?
-
Hearing back from @psychobunny now: It seems templates.js interprets "0" as true, and 0 as false (similar to javascript interpretation of those values).
- Core should be updated to return integers in the post/topic/category data.
- Template should be updated to check the uid instead of a userslug
But this is more just for "better code" purposes... still seeing whether a user named "Guest" can do all sorts of shenanigans...
@dylenbrivera said:
if username guest, then have user choose new name. Shouldn't it be this simple? In theory?
Sure -- but "Guest" is a valid username, technically. No reason why not, from a technological sense, but in a social context, it's not "right", per se.
-
That would allow enough room to differentiate.
-
Issues Identified
- Banning a user should log out that user's browser tabs. This used to be the case, but seems to have regressed
- issue #1749, as mentioned in the previous post.
At this time, we cannot reproduce the issue of a banned or deleted user being able to downvote another user's posts...
-
We should really add some optional controls to prevent people from downvoting unless they have X rep themselves
-
@psychobunny Agree!
-
@psychobunny PLEASE DO THIS. falls to your feet
Oh and maybe clarify if resetting all rep to 0 once this has happened can be done without potentially breaking anything.
-
without potentially breaking anything
haha I make no promises
-
done