Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[F] Strange code in newreply.php [C-Imad Jomaa]
#1
Hello,

recently i stumbled upon a strange code part in newreply.php. I am not sure if this a bug or if i simply don't get the logic... Huh
First let me explain:

Yesterday we started a "release party" for the new KDE 4.2 release on forum.kde.org
For that, we decided to let congratulations in from every user who whishes to, no registration needed, only captcha and moderation. At least for this day Wink

Then we got reports that submitting an entry with the "new reply" button doesn't work like expected (quick reply field works like a charm).
You need to fill in a username (guest as default) and a password. Leaving the pw field empty throws an usernametaken error. Looking at the code i have this:

if($mybb->input['action'] == "do_newreply" && $mybb->request_method == "post")
{
	// Verify incoming POST request
	verify_post_check($mybb->input['my_post_key']);

	$plugins->run_hooks("newreply_do_newreply_start");

	// If this isn't a logged in user, then we need to do some special validation.
	if($mybb->user['uid'] == 0)
	{
		$username = htmlspecialchars_uni($mybb->input['username']);

		// Check if username exists.
		if(username_exists($mybb->input['username']))
		{
			// If it does and no password is given throw back "username is taken"
			if(!$mybb->input['password'])
			{
				error($lang->error_usernametaken);
			}

And that's where it doesn't make much sense to me. I mean, it was expected behaviour to allow posts without being registered and having a valid pw.

So why this error check here?
forum.kde.org
Communicate.
#2
It's to stop people posting as a guest in the name of someone who is already registered. It checks the database for the username, if the user is registered and they haven't given a password, it throws the error.

(I would assume).
#3
Yes, that would explain it... must have overread the line with the username check.

But unfortunately i now found the real bug... It is not in newreply, but in the quick reply box. Filling that out and sending it doesn't ask for username nor password, it just sends it and it uses the default username (Guest). Though the posts aren't added to the user, if he really exists.
forum.kde.org
Communicate.
#4
OK - the guest quick-reply is intentional as I figure it, as it is supposed to just post it under test. There is no need to do a username check here.

Are you saying that in this specific forum, when a user (who is logged in) posts - either by quick or full reply - their post count does not increase?
#5
I just tried quick-replying as a guest on my test forums and it worked fine. You'd think someone would notice before now if guest posting is completely broken.
#6
It is not broken, no.
But let me re-explain:

We now have this thread open for guests. If the guests use the quick reply it DOES get posted, sure. But now with username "Guest", without that it actually gets checked if this username already exists (and it does).
So we now have hundreds of Posts from "Guest"s, but our registered user "Guest" still has 0 posts. So no problem here.

Just that it doesn't get checked when using the quick Reply.
forum.kde.org
Communicate.
#7
It's because the actual guest user will post with a user-id of 0, so the registered user called "Guest" will have a user-id of 43342 (or something, an actual number), so his post count won't go up.

Not sure whether there's any need to check for the username in this case...
#8
Erm, I may not be following, but can't he just login?
#9
No, we are talking about a different behaviour here.

Use the "New Reply" button
This way the guest user (as in: he won't sign up) needs to choose a username and if that already exists, he needs to provide a PW. Makes sense. I wouldn't like to see posts under the same name i am using, even if it is marked as "unregistered".

Use the "Quick Reply" field
This way the guest user will not even be prompted for a username, he simply gets the default guest username. And even further, it will not be checked if this name already exists.
So with this method you also have a second problem, say you are user "Guest", registered, but not logged in, you 1. will not be prompted for your PW after you try to send (maybe you just forgot to login, who knows) and 2. your post will not be assigned to you
forum.kde.org
Communicate.
#10
(01-28-2009, 09:38 PM)neverendingo Wrote: Use the "New Reply" button
This way the guest user (as in: he won't sign up) needs to choose a username and if that already exists, he needs to provide a PW. Makes sense.

No they don't? Your not required to enter a username.

(01-28-2009, 09:38 PM)neverendingo Wrote: Use the "Quick Reply" field
This way the guest user will not even be prompted for a username, he simply gets the default guest username. And even further, it will not be checked if this name already exists.

There is no check because there is no username field. It's called "quick" reply because it's goal is to be quick and not fill the user with prompts and fields and inputs.

(01-28-2009, 09:38 PM)neverendingo Wrote: So with this method you also have a second problem, say you are user "Guest", registered, but not logged in, you 1. will not be prompted for your PW after you try to send (maybe you just forgot to login, who knows) and 2. your post will not be assigned to you

Then they can delete the post, login the usual way or via New Reply, and then re-post it


Forum Jump:


Users browsing this thread: 1 Guest(s)