Guest can vote infinitely

Question

Guest can vote infinitely

maximeDore opened this issue a year ago · comments

Describe the bug

When you are signed in your Craft account you can only vote once per comment.
But whenever you are signed out and voting as a guest you can vote as many times as you like.

While I understand that managing a guest's vote permissions is hard and there might be ways to bypass it, the fact that you can just spam the vote button is a bit silly. Preventing this one thing might make it look less like a bug.

Steps to reproduce

Sign out of Craft CMS
Upvote an existing comment.
Click as many times as you like

Craft CMS version

4.4.13

Plugin version

2.0.7

Multi-site?

Yes

Additional context

No response

Josh Crawford · Answer 1 · Sat Jun 10 2023 04:58:11 GMT+0800 (China Standard Time)

This is only possible if “Enable Guest Voting” is enabled, but I’m not sure how possible or feasible it is to track guests in some manner to detect whether they’ve voted or not. We can certainly introduce a form of session identifier, but all it takes is someone to create a new session to spam voting again.

Maxime Doré · Answer 2 · Sat Jun 10 2023 05:08:19 GMT+0800 (China Standard Time)

Merely preventing the opportunity for everyone to spam might be enough for this. It should prevents most of the potential spammers from doing so.

Like you said, if someone knows how to bypass the session, there's not much that can be done anyway