If someone creates the username Guest, all hell breaks loose.

Bug Reports
  • #1

    If someone changes their username to Guest, they're effectively invisible. They have no profile, no UID. And all the other bits of a guest account, except they can post, anonymously (as you don't actually know who it is)

  • Plugin & Theme Dev

    Sounds like a pretty big glitch. I'll recreate it and see what else you can do with it.

  • #3

    I'm not entirely sure what's going on here, I deleted the guest account from the admin panel, I come back, they've managed to post again, profile still exists, same number of posts etc etc. I have tried creating an account called Guest manually myself, so will see if that helps. However I don't believe it will, as their profile doesn't exist, but mine does. Could it possibly be they're still viewing a cached version of the site from when guest posting was turned on while I solved some login issues? So I don't fully understand where the exploit is here. They've also spent the past 2 hours repping every single one of my posts down (I'm down to about -200).

    Some assistance would be great.

  • #4

    Brilliant, back again. So I can't actually remove someone even if I wanted to.


    I can't ban them at a server level, because they don't have a profile to see what their IP is, they don't appear online, they're not in search.

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    Hmm, I created names like "banned", "guest", "administrator" because there was no username restrictions in the beginning and banned them from use. I'm glad I did so. Yikes.

  • #6

    @trevor makes sense. How can we fix this?

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    Okay I changed my name to guest...

  • #8

    @guest Oh god an exploit - arrest him!

  • Plugin & Theme Dev Anime Lovers GNU/Linux

    Would you change your name as well just to see? But yeah, I'm not sure how to fix this because its a new bug introduced I believe. @baris @julian

    EDIT: Change it back because I don't want my name taken lol.

  • #10

    Right, have made some progress with this, @bentael thinks it's down to the SMF importer and the allow guest posting that's been deprecated. So appears not to be a bug with NodeBB per se. But with the importer. As for how I fix this, I'm not sure, but I've closed the github issue as it's not strictly nodebb, but I'll keep this thread going for when one of the devs walks past. 🙂

  • Plugin & Theme Dev

    well, I don't think that the Importer is using the Guest account to preserver the Posts of the deleted or invalid users is an actual bug. It's just a way to keep the topics making sense, so no posts gets lost in the process.

    However, respawing the Guest account after deleting it maybe a NodeBB bug or a mis-understanding, I think there is a better way to prevent the Guests from posting.

    @julian @baris ?

  • #12

    @bentael @psychobunny

    Completing the set. First one in here wins internets. 😆 They haven't clocked on they can exploit this yet, but I can't see it being long.

  • #13

    The Guest Glitch Exploit. I dig it.

  • GNU/Linux

    The "guest" itself is not an actual account, per se. We detect whether a guest is posting by looking at the post object and checking for a blank userslug.


    	"pid": "1",
    	"uid": "2",
    	"tid": "1",
    	"content": "<p>This was posted by a real account under the name &quot;Guest&quot;</p>\n",
    			-✂- snip snip -✂-
    	"user": {
    		"username": "Guest",
    		"userslug": "guest",
    		"reputation": "0",
    		"postcount": "1",
    		"banned": false,
    		"picture": "https://secure.gravatar.com/avatar/c5d5cc05e15e794cdf17459b53e7a793?size=128&default=identicon&rating=pg",
    		"signature": "",
    		"groups": []
    			-✂- snip snip -✂-


    	"pid": "3",
    	"uid": "0",
    	"tid": "1",
    	"content": "<p>Now I am posting as an actual guest.</p>\n",
    			-✂- snip snip -✂-
    	"user": {
    		"username": "[[global:guest]]",
    		"userslug": "",
    		"reputation": 0,
    		"postcount": "1",
    		"banned": false,
    		"picture": "https://secure.gravatar.com/avatar/d41d8cd98f00b204e9800998ecf8427e?size=128&default=identicon&rating=pg",
    		"signature": "",
    		"groups": []
    			-✂- snip snip -✂-
  • GNU/Linux

    Now, in hindsight, whoever implemented this checks specifically for the userslug by adding this in the template:

    <!-- IF posts.user.userslug -->

    Looking at it now, I believe this was done because our templating engine doesn't parse "0" correctly (interprets it as true), so we can't just check the poster's uid. (Guests have a uid of 0).

    As it stands, it seems to be correctly handling the differentiation between a real guest and a user named "Guest". We also don't allow two users to share the same userslug.

    We should update templates.js so that an integer uid is returned from getPostData, and interpreted correctly by templates.js...

  • #16

    During account creation... if username guest, then have user choose new name. Shouldn't it be this simple? In theory?

  • GNU/Linux

    Hearing back from @psychobunny now: It seems templates.js interprets "0" as true, and 0 as false (similar to javascript interpretation of those values).

    • Core should be updated to return integers in the post/topic/category data.
    • Template should be updated to check the uid instead of a userslug

    But this is more just for "better code" purposes... still seeing whether a user named "Guest" can do all sorts of shenanigans...

    @dylenbrivera said:

    if username guest, then have user choose new name. Shouldn't it be this simple? In theory?

    Sure -- but "Guest" is a valid username, technically. No reason why not, from a technological sense, but in a social context, it's not "right", per se.

  • GNU/Linux

    Note the correct handling in the topic:

    User named "Guest"


    A real guest


  • #19

    @julian Should read "A guest has posted..."

  • #20

    That would allow enough room to differentiate.

Suggested Topics

| | | |