| Project: | Voting API |
| Version: | 6.x-2.3 |
| Component: | Miscellaneous |
| Category: | feature request |
| Priority: | minor |
| Assigned: | Unassigned |
| Status: | needs review |
Issue Summary
I recently had to put together a rating system for some essays at work and I used Fivestar with Voting API. It was quick and easy except everyone at work presents with the same IP address and they are anonymous users so each rating was overwriting the last. (In essence, lots of people were rating but Voting API saw the one IP address and thought it was one anonymous person constantly changing his vote.)
My workaround was to populate the vote_source field with the user's session_id instead of the IP address 'vote_source' => session_id(), and it seems to have the desired effect. It's not perfect (they could open new sessions to enter multiple votes), but it's better than reflecting only the latest vote.
My humble request is to add an option similar to "Differentiate anonymous users by session id". (ex. good for users behind corporate firewalls who all present with the same IP address)
Regards,
Märt
Comments
#2
Same issue, here's a patch
#3
Subscribing +1 from me too!
#4
Ahh I've been looking thru the fivestar/votingapi code for a couple hours now. I was just about to implement something like this. Nice work - will apply the path. This should def be commit.
#5
Wait a minute.... What is the point of the other option in VotingAPI then? For the time frame before anonymous users can vote again? From what it describes it seems like it should do what we are doing here. But there is only one reference to it in the code and it doesn't make much sense to me... or work for that matter....
#6
It looks like votingapi is not using that 'Anonymous vote rollover' feature at all. There's only one reference to it in votingapi_select_votes function but I don't figure out what it should do. I extended Stalski's anonymous-voting.patch a bit and added a checkup to votingapi_set_votes function where I compare votingapi_anonymous_window variable against user's latest vote timestamp. This should prevent voting if vote rollover time has been set up and not passed yet. Here's a patch.
#7
Didn't include Stalki's votingapi.admin.inc changes into the previous patch. Here's a new one. Sorry.
#8
I tried the patch and I now have the session ID validation option which seems to work. I can now visit two different computers from the same range of IP addresses from one router and vote on those individual machines.
I think the only downside to this is if someone clears their browser cache, they can vote again. But I suppose there will always be people who try to game the system no matter what it is. (...and indeed the "Anonymous vote rollover" as mentioned above never really seemed to work either before or after the patch).
#9
I tried the patch, everything seems to be fine after reviewing the code, but my problem is that session_id() always change on page refresh, which lets the same anonymous user vote unlimited times on the same content.
What I found is that when you are not logged in, the module looks for the session id in the table to see if there is a registry with a vote attached to it, and since everytime that I send the request the session id is changing, no match is found, and so the user can keep voting.
What can be done to prevent this from happening?
#10
Subscribing. I have the same issue as Samshel. When using the session_id() for the vote_source unlimited votes are being allowed from anonymous users.