Bug editing html allows you to like and dislike regardless if disabled.

[Mental]

Hi

I've set it so that if you like you cannot dislike and vice versa but when a user edits the source they're able to bypass the restriction. I've had numerous users abuse this within 24 hours.

By deleting the following line , it allows users to like / dislike.

 

[Fillip H.]

I have not found a way to edit the .js file that reflects on the website. I'm also entirely unable to replicate this issue even if I comment out the line you highlighted and try to mash multiple buttons in quick succession.

Please provide detailed step-by-step instructions to replicate this issue.

 

[Mental]

I got it working with this method.

Like -> 30 sec -> Unlike -> Dislike & Like again

But its not working as it does on mine given our setup is slightly different. Try removing the text / thanks and then try the method mentioned.

 

[Mental]

 

[Fillip H.]

But its not working as it does on mine given our setup is slightly different. Try removing the text / thanks and then try the method mentioned.

Sorry, I don't know what you mean by that. Using the option of removing the button text does not affect the permission checks for button clicks.

I am still unable to replicate this issue. Commenting out the mentioned line does not allow me to click two buttons. The permission checks are still in effect before the button click is saved, so the only way this could possibly happen is if your database server has a major delay (2-3 seconds) and the second click would somehow be able to slip through before the first one had saved to the database.

If this is the case, I am unable to do anything about that as I do not have control over your specific server.

If I'm misunderstanding you, please provide detailed step-by-step instructions on how to replicate it, including full details of all your configuration options.


Also, for the future, please enter the correct URL in the issue field. If you fill out an invalid URL, we will be unable to assist you with your support query until you edit the issue and fill out the correct URL.

 

[Mental]

Here is a video. Our server is fairly decent, dual quads so 8 dedicated cores. We got 2.5k online atm.

[video=youtube;5KTYhY9IX4s]https://www.youtube.com/watch?v=5KTYhY9IX4s&feature=player_detailpage[/video]

Sample query that you're script sends >

mysql> SHOW FULL PROCESSLIST;
+----------+------------------+-----------+--------------------+---------+------+--------------+--------------------------------------------------------------------------------------------------------------------------+
| Id       | User             | Host      | db                 | Command | Time | State        | Info                                                                                                                     |
+----------+------------------+-----------+--------------------+---------+------+--------------+--------------------------------------------------------------------------------------------------------------------------+
| 14617606 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617609 | root             | localhost | NULL               | Query   |    0 | NULL         | SHOW FULL PROCESSLIST                                                                                                    |
| 14617612 | forum_forum20 | localhost | forum_forum2013 | Query   |    0 | Sending data | SELECT *
                FROM dbtech_thanks_entry AS entry
                WHERE contentid IN (04415716,4415825,4421751)
                        AND contenttype = 'post' |
| 14617614 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617615 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617616 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617617 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617618 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617620 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617621 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617622 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617625 | forum_wordpre | localhost | forum_wordpress | Sleep   |    0 |              | NULL                                                                                                                     |
| 14617626 | forum_forum20 | localhost | forum_forum2013 | Sleep   |    0 |              | NULL                                                                                                                     |
+----------+------------------+-----------+--------------------+---------+------+--------------+--------------------------------------------------------------------------------------------------------------------------+
13 rows in set (0.00 sec)

 

[Fillip H.]

Can you please double-check your configuration, specifically that you have not only edited "Like" to be exclusive with "Dislike", but also edited "Dislike" to be exclusive with "Like"?

The exclusivity works one way only, unless you edit both buttons. In other words, if you have only edited the Like button, clicking Like first will still allow you to click Dislike and vice versa.

 

[Mental]

Yes, i set it so only the likes can be liked and disables dislike and vice versa.

 

[Fillip H.]

In that case, I'll need an FTP and AdminCP account for your forum.

Just to confirm, the steps are as follows:
1. Remove lastClick=timenow; from the JS file via Chrome's developer tools
2. Click "Like"
3. Wait 30 seconds
4. Click "Like" again to un-like
5. Click "Like" and "Dislike", no need to do it in rapid succession

I will also be recording my screen in the event that I don't detect an issue with the configuration, if I can't reproduce it normally. Please let me know if any part of the above steps are incorrect.

 

[Mental]

Those steps that I was reported by a user I was unable to re produce but I'll ask again. As for admin and ftp access, that won't be given out. Sorry.

 

[Mental]

Updated, test with their method and it worked on my forum.

I'm not Hejula but I can explain.

In google chrome hit f12 to open developer console. Click Sources and click the little play icon in the left top corner, under dbtech/thanks/clientscript you should find thanks.js. Double click that.

That will bring a bunch of JS code, hit CTRL + F and search for lastClick=timenow; now remove that line and have fun. You can dislike and like posts.

The solution is a server-sided fix in thanks.php checking if the post is allready liked or disliked by the user.

 

[Fillip H.]

I am still entirely unable to replicate this issue. There is already server-side checking in place.
The code you are deleting does nothing other than provide flood protection (which is also enforced server-side). There is not a single line in the thanks.js file that deals with button exclusivity, it's handled 100% server-side.

If you will not allow me access to double-check your configuration and debug it further on your site, then I have no choice but to close this issue as Cannot Reproduce.

Should this issue be reproducible on another forum, and the owner of that forum is willing to assist me in resolving this issue, a new version will be released with the fix included. I would recommend you subscribe to our News forum and observe the changelog for any new versions of APTL to look for this change.

If you change your mind, feel free to send me a PM with a temporary FTP and AdminCP account. Once the issue has been resolved, you can revoke the access, and I will delete the PM from the database.

 

[Mental]

I've got a temp fix my end.

Likes (Exclusive , check dislike)
Dislikes (Exclusive, check dislike)

Odd, but it appears to be working.

 

[Fillip H.]

It is not possible to edit a button to make it exclusive with itself.

If you typo'd and meant to put

Likes (Exclusive , check dislike)
Dislikes (Exclusive, check like)

Then this is not a "temp" fix, but rather the correct configuration (as per post No.7).

 

[Mental]

Then I am a retard , lol!