Guests can vote infinitely on polls

[JoshHarmon]

In the /me thread, all votes above 14 were done by me as a guest. As a guest, I could vote as many times as desired.

Suggested fix: Don't allow Guests to vote in polls. Suggest registration instead.

[Destroy666x]

In 1.x it's stored in cookies if guest voting is enabled in forum permissions. Same or similar (IP check) thing could be done here.

[JoshHarmon]

Issue I see with cookies being the verification vector is if someone has cookies disabled in their browser, or has them cleared on browser close, as I do.

On May 11, 2015, at 2:51 PM, Przemek Pawlas [email protected] wrote:

In 1.x it's stored in cookies if guest voting is enabled in forum permissions. Same or similar (IP check) thing could be done here.

—
Reply to this email directly or view it on GitHub.

[Destroy666x]

It's not reliable, yes, similarly IP can be faked by proxies or just be dynamic. And there isn't anything more trustworthy that we can check. But I think that's still better than no guest voting possibility at all - sometimes admins may prefer risky biased results with guest voting.

[JoshHarmon]

Yeah, I didn't think about the fact that it was allowed in 1.x, mostly because almost nobody ever does that.

I think a combination of IP and cookie would be good enough.

[JN-Jones]

I'll add a canVoteInPoll permission which will default to NEVER for guests. But there should be a way to limit the number of votes a guest can make though (need to look at guest sessions, that'd be a way depending on how laravel handles that).