If someone creates the username Guest, all hell breaks loose.

julian

Now, in hindsight, whoever implemented this checks specifically for the userslug by adding this in the template:

Looking at it now, I believe this was done because our templating engine doesn't parse "0" correctly (interprets it as true), so we can't just check the poster's uid. (Guests have a uid of 0).

As it stands, it seems to be correctly handling the differentiation between a real guest and a user named "Guest". We also don't allow two users to share the same userslug.

We should update templates.js so that an integer uid is returned from getPostData, and interpreted correctly by templates.js...

dylenbrivera

During account creation... if username guest, then have user choose new name. Shouldn't it be this simple? In theory?

julian

Hearing back from @psychobunny now: It seems templates.js interprets "0" as true, and 0 as false (similar to javascript interpretation of those values).

Core should be updated to return integers in the post/topic/category data.
Template should be updated to check the uid instead of a userslug

But this is more just for "better code" purposes... still seeing whether a user named "Guest" can do all sorts of shenanigans...

@dylenbrivera said:

if username guest, then have user choose new name. Shouldn't it be this simple? In theory?

Sure -- but "Guest" is a valid username, technically. No reason why not, from a technological sense, but in a social context, it's not "right", per se.

julian

Note the correct handling in the topic:

User named "Guest"

A real guest

dylenbrivera

@julian Should read "A guest has posted..."

dylenbrivera

That would allow enough room to differentiate.

julian

Have banned a Guest user, user can no longer post, as expected (although there's a "double reply button" glitch, gh#1749, that needs to be taken care of).

User also can't downvote.

a_5mith

Wowzers a lots happened in here since I went off to make Chicken & Chips... So what's the final verdict? Am I safe if I just ban that user?

julian

Issues Identified

Banning a user should log out that user's browser tabs. This used to be the case, but seems to have regressed
issue #1749, as mentioned in the previous post.

At this time, we cannot reproduce the issue of a banned or deleted user being able to downvote another user's posts...

a_5mith

@julian Well, I can't tell if it's just that user, as it doesn't say who downvoted you, there's another "forum" that like to stop by mine every now and then and cause as many issues as they can. The issues of running a forum.

julian

@a_5mith If you could find out how they managed to skirt around the downvoting, that would be helpful

a_5mith

@julian I think a user, or multiple users, just went through and started downvoting my posts.

I don't think the downvote is being exploited, I just happen to be babysitting some people with too much time on their hands.

julian

I empathise

In the meantime, you can always reset your rep by db diving... hset user:1 reputation 5

Though I don't vouch for the safety of doing so

a_5mith

@julian I'll leave it then. Still trying to work out why my server RAM is at 69% with the occasional BB restart.

psychobunny

We should really add some optional controls to prevent people from downvoting unless they have X rep themselves

Mauricio

@psychobunny Agree!

a_5mith

@psychobunny PLEASE DO THIS. falls to your feet

Oh and maybe clarify if resetting all rep to 0 once this has happened can be done without potentially breaking anything.

psychobunny

without potentially breaking anything

haha I make no promises

Add optional reputation threshold for downvoting · Issue #1757 · NodeBB/NodeBB

GitHub (github.com)

psychobunny

done

Mauricio

@psychobunny