The poll currently limts the users to be able to vote based on an IP address. It is better than a cookie since it is much harder to fake an ip address than to use a clean cookie. However, this causes that only one person of all the persons behind a NAT-ed IP addresses or people behind a corporate proxy will be able to vote, none of the others can vote ägain". This willbe a problem in huge intranets were all traffic is going via a proxy server. So I would like to see the IP address limitation as an option (default on) and I think it might be wise to take a look at the "x-forwarded-for" headers sent by most proxy servers. This makes it possible to let many people behind one proxy vote.
Comment | File | Size | Author |
---|---|---|---|
#20 | poll.module.patch | 2.52 KB | yingtho |
#14 | 14179-poll_module_cookie_voting-D6.patch | 3.78 KB | greg.harvey |
Comments
Comment #1
mr700 CreditAttribution: mr700 commentedI was thinking about this just before I found this request. First I want to note there can't be perfect implementation (you can always trick the system - register 10 new users and use 10 votes) until you use certificates (which will maybe be almost perfect). Here are the problems I found when I was thinking of doing something about this (which make x-forwarded-for and via headers useless):
I was thinking about overloading the server with permanent cookies and allow voting only to users with olther than the poll cookies, but the user can have X browsers + X profiles. For me this was more than enough to forget about it and any tricks I can think of, at least for now.
PS: The 'register to vote' solution still works...
Comment #2
bertboerland CreditAttribution: bertboerland commentedcould someone with knowledge about poll.module update this old one?
Comment #5
acAn optional IP validation control in the poll admin would be a lovely feature. The option could disable the IP match and enable cookie authentication to check if a user has voted. I understand it is not secure but it is not like this is going to be used for elections. Currently the restriction based on IP is a show stopper for using poll.module on local networks and in situations where you need to survey a number of people (who do not want to register) within an organisation (that only has 1 IP)
Comment #6
acComment #9
robdinardo CreditAttribution: robdinardo commentedI agree with AC. The module should allow the option of IP or cookie validation to test whether the user voted. Maybe add a description that Cookie validation is not secure.
In the poll_vote() function, I added:
and it works fine - the cookie gets added to the browser and expires in about a year.
In the poll_load() function, I replaced the $result if statement with:
... the vote gets recorded, and the user cannot vote again without clearing the cookies, but the block shows the choices instead of the results. ???
Comment #10
hillaryneaf CreditAttribution: hillaryneaf commentedsubscribe... i want same feature... cookie based voting
Comment #11
FuN_ViT CreditAttribution: FuN_ViT commentedi am wrote my own module, based on poll (Drupal 5.7) module see - http://drupal.org/node/237126
Comment #12
fuquam CreditAttribution: fuquam commentedThat made it so the poll results were not shown. Vote was recorded but results were not shown afterwards.
Comment #13
Susurrus CreditAttribution: Susurrus commentedFeature requests against HEAD. Also, see #237213: Fixed poll code for anonymous voting.
Comment #14
greg.harveyWorking patch attached. Please test and post feedback. It's a tidied up version of pash7ka's patch in comment #5 of #237213: Fixed poll code for anonymous voting - that is a D7 issue, so I've moved the patch here.
Comment #15
domesticat CreditAttribution: domesticat commentedI'm giving this patch a try.
Comment #16
domesticat CreditAttribution: domesticat commentedPatch in #14 did not apply cleanly for me, so I applied it by hand. The code worked, though; cookies are being set properly for anonymous votes, and users inside our network (who all appear to have the same IP address outside our network thanks to firewalling) are all able to vote anonymously without issue.
Marking RTBC. @greg_harvey -- thank you. This was a huge problem for us.
Comment #17
greg.harveyWelcome! Odd it didn't apply. I probably did something silly.
Thanks as well to pash7ka, who wrote the patch. I only really tidied it up. =)
Not sure what's going on with the D7 patch now - it seems to have stalled, but I've fixed all the issues Dries raised, except for the ones I think either aren't issues or I don't understand what he wants. Sadly, he hasn't come back since to expand on his comments...
Comment #18
Gábor HojtsyNew features are added to Drupal 8, not Drupal 6 or 7 anymore.
Comment #19
greg.harvey@Gabor, we know that - this is for people who want the feature in D6. A more appropriate Status would be "won't fix" then, as the active D7 patch is here: #237213: Fixed poll code for anonymous voting
This needs bumping to D8 since it failed to make the cut. Will do it now. =)
All other comers, D6 patch in #14 works if you need this, otherwise please contribute to D8 patch in the issue above.
Comment #20
yingtho CreditAttribution: yingtho commentedThe code only seems to work partly for me. If i remove the cookie then i can see the poll form but when i submit then it just show the result and the poll choice is not submitted. I have make a small patch to make it work. Please see enclosed.
Comment #21
xalexas CreditAttribution: xalexas commented#14 not working for anonymous users but only for registered users. Anonymous users get message "Your vote wasn't recorded". I have enabled access for anonymous users.
Comment #22
mean0dspt CreditAttribution: mean0dspt commented#21 passed initial testing on my production website.
I didn't try #14, may be it was fine too
Comment #23
Cyberwolf CreditAttribution: Cyberwolf commentedI tried the patch at #20 and at first sight it seems to work fine.
However I am a bit concerned about the possible situation that the rand() function might return the same random number twice, so in theory there is still the possibility that one might get the same key and actually overwrite another one's voting choice. I'd rather generate a more unique key by using uniqid() instead of rand().
Comment #24
cato CreditAttribution: cato commentedI'd think a better way to solve this would be to remove all references to any IP adress. Using it implies that IP#s are dependable which is false. If cookies are disabled, IP# is still not a working method to identify users since many anonymous users are coming from the same IP# due to NAT.