Rather large security issue: Repliers can currently add a poll to any thread...

[yllus]

On second thought it's probably not a good idea to have this procedure sitting out in the open. AnandTech Moderator, Jason Clark, you have PMs.

Edit: Damn you aves2k! What's even funnier is I don't have permission to edit your poll.

 

[ThisIsMatt]

heh

 

[Aves]

 

 

[loup garou]

This was a problem the first day of the changeover, I thought they fixed it?
Oh I see...you used to be able to edit polls, now you can only add them.

 

[MDE]

Yeah, this is a rather large and glaring hole.

 

[Shawn]

the must have fixed it.

 

[yllus]

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

 

[Sundog]

Originally posted by: yllus

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

ERROR: Sorry, you do not have permissions to access the requested object.
Error Code: 103

That comes up when I try to edit the poll. The button is still there, but the 103 error occurs.

 

[loup garou]

Originally posted by: Sundog

Originally posted by: yllus

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

ERROR: Sorry, you do not have permissions to access the requested object.
Error Code: 103

That comes up when I try to edit the poll. The button is still there, but the 103 error occurs.

See my earlier post.

 

[yllus]

Originally posted by: Sundog

Originally posted by: yllus

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

ERROR: Sorry, you do not have permissions to access the requested object.
Error Code: 103

That comes up when I try to edit the poll. The button is still there, but the 103 error occurs.

You can't edit a poll because Jason's now attached the member ID # to the poll as verification against people modifying polls that are not theirs. However the ability to add polls to any thread still exists. I can't really get into it any further without giving away how.

Jason Clark, AnandTech Moderator, you have PM.

 

[Sundog]

Originally posted by: werk

Originally posted by: Sundog

Originally posted by: yllus

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

ERROR: Sorry, you do not have permissions to access the requested object.
Error Code: 103

That comes up when I try to edit the poll. The button is still there, but the 103 error occurs.

See my earlier post.

Ah....yep, I see it now.

 

[InlineFive]

Originally posted by: yllus

Originally posted by: Sundog

Originally posted by: yllus

Originally posted by: iloveme2
the must have fixed it.

Negative. Still unresolved at the time of this post.

ERROR: Sorry, you do not have permissions to access the requested object.
Error Code: 103

That comes up when I try to edit the poll. The button is still there, but the 103 error occurs.

You can't edit a poll because Jason's now attached the member ID # to the poll as verification against people modifying polls that are not theirs. However the ability to add polls to any thread still exists. I can't really get into it any further without giving away how.

Jason Clark, AnandTech Moderator, you have PM.

Are you a FuseTalk designer or something?

 

[MikeMike]

yea, this sorta sucks.

MIKE

 

[Kalvin00]

I think the bigger issue right now is these damned jrun errors..

 

[yllus]

Originally posted by: PorBleemo

Originally posted by: yllus
You can't edit a poll because Jason's now attached the member ID # to the poll as verification against people modifying polls that are not theirs. However the ability to add polls to any thread still exists. I can't really get into it any further without giving away how.

Jason Clark, AnandTech Moderator, you have PM.

Are you a FuseTalk designer or something?

Nah, no need to be. ColdFusion is mostly just the conduit to display the data pulled from the forums database. The SQL logic is what drives the entire site.

As every member has a member ID # (for example, you are #129480), the best way to program in logic to decide whether a person should be able to edit a poll or not is to log the member ID # of the poll creator. Then later on if a member wishes to edit the poll, the forum code only allows them to do so if their member ID # matches what was originally logged. It's just the most straightforward and logical solution to the problem.

With the bug outlined in the original post, Jason's likely just going to go find the 'add poll' code he wrote earlier and edit it to check the member ID # of the thread creator against the member ID # of the person trying to create the poll. If it matches, allow the creation. If not, deny. It's likely a single line of code to add in.