Re: [aur-dev] cookies + suspended account
On Wed, Feb 27, 2013 at 5:26 PM, Alexander Rødseth wrote: > Hi, > > > 2013/2/27 Angel Velásquez : >> For solving the problem right now -quick and dirty-, we just have to >> add a validation (tsk tsk anyone who wants to sum contributions can >> code this silly patch), if the user is suspended don't let him flag >> the package and actually redirect him to the logout page (to kill >> those cookies). > > Wouldn't he/she/they be able to just register more accounts and > continue flagging packages this way? Yes, a malicious user would be able to evade suspension by registering new accounts. In my opinion, those situations call for IP banning.
Re: [aur-dev] cookies + suspended account
On Thu, Feb 28, 2013 at 6:30 PM, Alexander Griesbaum wrote: > On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace > wrote: > >> Hello, >> I have been having to deal with some idiot who is pissed off in the aur >> for some reason. He keeps marking all my packages out of date. And >> somehow he is able to continually do this even after I have suspended >> his account. I am not sure if this is because of the cookie still >> working and him still being logged in. >> >> Would it be possible to add captchas to flag packages out of date, or to >> make it so that suspending an account kills the cookie? > > > > Maybe I missed something... > I want to get back to the fact, that the user could flag packages after he > was suspended. In January, canyonknight committed a patch for this > specific problem[1]: > "A suspended user can stay in active sessions. Introduce new function > delete_user_sessions to remove all open sessions for a specific user. > Allows suspensions to take effect immediately." Yes, that patch should immediately suspend a user account. There hasn't been a new AUR release since that was committed, so I don't believe it was applied to the official AUR setup. > > I tested this locally and I can confirm that the suspended user was > immediately logged out. Maybe you should file a bug report and > we should do some tests here? Thanks for confirming that my patch works! Regards, Jason
Re: [aur-dev] cookies + suspended account
On Tue, Feb 26, 2013 at 8:20 PM, Daniel Wallace wrote: > Hello, > I have been having to deal with some idiot who is pissed off in the aur > for some reason. He keeps marking all my packages out of date. And > somehow he is able to continually do this even after I have suspended > his account. I am not sure if this is because of the cookie still > working and him still being logged in. > > Would it be possible to add captchas to flag packages out of date, or to > make it so that suspending an account kills the cookie? Maybe I missed something... I want to get back to the fact, that the user could flag packages after he was suspended. In January, canyonknight committed a patch for this specific problem[1]: "A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately." I tested this locally and I can confirm that the suspended user was immediately logged out. Maybe you should file a bug report and we should do some tests here? -- I don't like captchas. What if the time you have to wait between flagging packages will be doubled from package to package? If you stop flagging for one hour (or so), the timer will be resetted. Most of you may know this from password fields. It prevents huge spamming and gets really annoying when you want to flag many many packages. It shoudn't be hard to wait a few seconds if you want to flag just a few. Alex //gridcol [1] https://projects.archlinux.org/aur.git/commit/web?id=150b0f9f0a5174e72a27469030135e98b2a43815