Gossamer Forum
Home : Products : Gossamer Links : Discussions :

Review System

Quote Reply
Review System
Is there something I can add to stop users from reviewing their own link? I already force a user to be logged in to access the review system so it just needs to compare their user name to the link owner.

Thanks in advance for any help :)
Quote Reply
Re: [Triffid] Review System In reply to
Because of the way Links works, someone could hack the URL and make it work, the only way to block it, is to edit the review.pm file, and check for Username==LinkOwner

If you were not concerned about hacking, you could put in the rate.html an <%if%> that blocks the rate routine and displays a message if Username eq LinkOwner


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.
Quote Reply
Re: [pugdog] Review System In reply to
I think I know the question...
Is there a hack to stop the same person who owns the link from reviewing that site by comparing - for example - login details or email addreses.

That I do not know.
There is nothing to stop a person from registering twice under different names and doing it anyway. Or getting their friends to do it. There is always a way to defeat any system. My opinion is to worry about something else.
Quote Reply
Re: [Gypsypup] Review System In reply to
You can't stop people from multiple log ons .. unless you catch them.

But, the problem with the question as asked, is that any template-based block to the ratings would "fail" if a user passed in the values directly to the rate.cgi script. You can "spoof" them, since the check is not in the script.

The only way to really prevent this, is to edit the rate.pm file, to catch:

if ($USER->{'Username'} eq $rec->{'LinkOwner'}) {
print $IN->header();
print Links::SiteHTML::display('error', { error => 'You cannot rate your own link' });
return;
}

there might be some problems with that, but the concept is right.

Simply checking for this sort of thing in the template -- without blocking it in the back-end script -- is how security holes open up.

rate.cgi/rate.pm is not set up to catch this sort of thing -- only whether a user needs to be logged in or not.


PUGDOG� Enterprises, Inc.

The best way to contact me is to NOT use Email.
Please leave a PM here.