The module does not check if the widget allows a down vote. Example.... If a site only shows the + option, then the AJAX callback goes something like:
http://example.com/vote_up_down/node/[NODE_ID]/1/1/1

However, if one were to copy that URL and change the value field, then the module does not check and allows for minus votes. Eg:
http://example.com/vote_up_down/node/[NODE_ID]/-1/1/1

CommentFileSizeAuthor
#3 vote_up_down.module-207975.patch1.29 KBfrjo

Comments

Christefano-oldaccount’s picture

Christefano-oldaccount commented

+1

I can confirm this. Perhaps the bug could have been disclosed more discretely?

nicholasthompson’s picture

nicholasthompson
Primary language English
commented

Discretely - maybe... Although I haven't given any links to effected sites.

I was just quite concerned and thought I should post something up to make sure other users are aware of it.

I did try to find him on IRC first.

frjo’s picture

frjo commented
Assigned: Unassigned » frjo
Status: Active » Needs review
StatusFileSize
new vote_up_down.module-207975.patch1.29 KB

Please test this patch and see it it helps and don't mess up any other stuff.

nicholasthompson’s picture

nicholasthompson
Primary language English
commented

Haven't had a chance to actually test it yet (been in a meeting all day) but a visual/mental "compile" appears to be fine. The workflow looks sound and secure - assuming FALSE until proven to be TRUE to a very good idea.

I cant see that breaking anything - but I'll test it for you just to be sure.

Thanks.
Nick

drupalnewbiehaha’s picture

drupalnewbiehaha commented

I can't see any sec problem, but it does caused an error message when I give a vote directly (http://site/vote_up_down/node/1/1/1). Applied the patch works fine, the error was gone and can't reproduce, the patch code looks good, too.

marvil07’s picture

marvil07 commented
Status: Needs review » Closed (won't fix)

Please take a look to the update on the project page, now 5.x is not-really-maintained.