Multiple Likes on a single post



  • Ref:
    http://what.thedailywtf.com/t/the-official-likes-thread-topic-like-column-death/1000/13616?u=chaostheeternal

    Image:

    Link to double-liked post: here

    As far as I can tell, it's not local, because I did it from my phone, verified from the desktop, and another user was able to see it.



  • Confirmed from my point of view. Also, the username tool tip on the two icons is identical so it's not someone borrowing the same avatar.


  • Discourse touched me in a no-no place

    Confirmed.

    EDIT- beaten to it.


  • BINNED

    Confirmed. There seems to be quite a bit of shenanigans around likes. They are also one of the prime suspects for a one-time bug where @faoileag managed to catch my email in the JSON.



  • So, 200K likes later we finally found a bug?

    😃


  • BINNED

    @mott555 said:

    So, 200K likes later we finally found a bug?

    Well, we did break the "scrollbar". Twice.



  • "Days since last Discourse bug: 0"



  • Days since last Discourse bug: 0



  • Days since last Discourse bug: 0


  • What fucking voodoo is this?

    If you do a quote manually it's not taken through the screw-you-be-original toaster?!

    *shakes fist* Discourse!!!



  • The only repro I can say for it was:

    • I clicked the Like button
    • My Android phone showed that I was the first liker
    • It refreshed1
    • It said I no longer liked it, and showed that @Onyx was the first and only liker
    • I clicked the Like button again
    • It showed that "You and 1 other liked this."
    • It refreshed1
    • It showed that "You and 2 others liked this."
    • Expanding it showed me liking it twice, after @Onyx did

    So, maybe not reliable steps to reproduce, but that's what I did.


    1 by "refreshed", I mean the post action buttons and the "who liked this" area were changed due to Discourse pushing down a notification that an action happened on that post.


  • ♿ (Parody)

    You'd think this would be prevented by a DB constraint.


    Filed Under: bwahahahahahaha



  • You'd think, but this is Discourse, where you were also able to have two posts in a topic having the same post number (also a bug I'd been involved with).



  • DB constraints are so now. Dicsourse is so 10 years from now.



  • @boomzilla said:

    You'd think this would be prevented by a DB constraint.


    Filed Under: bwahahahahahaha

    No kidding. At worst, you'd expect an exception.



  • Well the geniuses have a
    posts_action table.

    In that table not only do likes get stored but also edits, spam votes, bookmarks, spam report, notify moderator, inappropriate flagging, (why the fuck are user reports, spam reports and inappropriate flags separate, it all goes to moderators anyway).

    They could add an unique index on post id, user id and post_action_type but the other flags might break? Don't know.

    By way this means you can spam "Spam reports". hint hint



  • #EAV ALL THE THINGS!

    Body is invalid; try to be a little more descriptive



  • Well, shit. We broke it again.

    http://i.imgur.com/xFC0DAj.png



  • Definitely looks like it's some server-side condition failing, because just spamming posts at the server doesn't work:

    for(var i=0;i<2;i++) {
        jQuery.post("http://what.thedailywtf.com/post_actions", "id=56911&post_action_type_id=2&flag_topic=false", null, "json");
    }
    

    One of them will go OK, the rest will return 500 errors, and the post will display as if you haven't liked it (the client side is, I assume, trusted to already have updated as a part of posting that), but clicking the button gives an error, and refreshing the post shows you as having liked it.



  • [code]
    before_create do
    post_action_type_ids = is_flag? ? PostActionType.flag_types.values : post_action_type_id
    raise AlreadyActed if PostAction.where(user_id: user_id)
    .where(post_id: post_id)
    .where(post_action_type_id: post_action_type_ids)
    .where(deleted_at: nil)
    .where(disagreed_at: nil)
    .where(targets_topic: targets_topic)
    .exists?
    [/code]

    Guess that must not work when it duplicates.



  • What it would suggest is, a request has done that check, but is blocked on actually writing the action when another comes in and also passes the check, then the multiple writes happen. Wonder what was happening that was blocking the write.

    A constraint would fix it, but they'd also need to write something to handle the error the constraint will pop up (or do nothing, like they do with a lot of other errors you can get).


    I just noticed you double-liked the same post that @Maciejasjmj triple-liked.



  • I've started like bombing the forum.
    [code]
    var offset = 53911;
    var count = 100;
    for(var i=offset;i<offset+count;i++) {
    jQuery.post("http://what.thedailywtf.com/post_actions", "id="+i+"&post_action_type_id=2&flag_topic=false", null, "json");
    }
    [/code]

    Change the post_action_type_id=2 to an 8 to mark everything as spam instead.



  • I, at least, was nice enough that my script would only go for a single topic that you leave your browser looking at. You're going scorched earth, and will pretty quickly run into the like limit.



  • Hah, guess we'll see what the like limit is. I like this forum, I am going to like it all!

    If someone used a csrf token this would be less of an issue.



  • It's either 500 posts or 5000, depending on if @PJH set it back or hadn't messed with it since the Likes thread was aiming at 10k posts (or changed it to something else entirely after it was set at 5000).



  • But is that the like limit for a thread or for a user total? Both seem broken to have and both are an example of shit design.



  • @delfinom said:

    But is that the like limit for a thread or for a user total?

    Per user per day.

    @delfinom said:

    Both seem broken to have and both are an example of shit design.

    If the search worked well, I'm sure I could find a few posts that effectively say the same thing as you just now, both regarding the like rate limiting and other things. Hell, it's why "JDGI" is an acronym here now.



  • Per user per day? No problem. setTimeout in a browser works great.



  • I'm pretty sure I remember him saying he lowered it, but DiscoSearch. IIRC, he was vague about what he lowered it to — not the default of 50, but maybe more or less than 500.



  • Between 700 - 750


  • :belt_onion:

    @HardwareGeek said:

    but maybe more or less than 500.

    I'd say that you are very likely right that it is more or less than 500.
    Unless it is 500!



  • Up to 500 or more!



  • 499.999... I don't think we've had that discussion on the DC forum yet. 😈

    Seriously, I was saying it might or might not be 500; we don't know because @PJH didn't say (that I recall).



  • I think you can replicate this by clicking the like button multiple times. I keep seeing the 1 person likes this, like it too, but my timing sucks and I'm over clicking negating both likes.

    Looks like a race condition while it's loading the json

    I managed to get my like counter to be -2 on the first post lol



  • Repro steps:

    1. Have an android device (not sure if it's android specific, or mobile, or just slower loading browser, maybe works on another computer if you can coordinate it)
    2. Spam click the like button on your mobile device
    3. Spam click the like button on your desktop at the same time

    After a few seconds you should start seeing weird things happening, such as 1 other person likes this post, like it too. (or whatever n+1 your like would be) - on mobile i was able to get to -2 likes, not sure how that happened, and I don't know how to screenshot my mobile (power button + volume doesn't work)

    If your timing is good, you'll get the double like.



  • Looks like @Maciejasjmj picked the trick up too.



  • Also, if you double click the ❤ a lot, it will stop responding.



  • I think it's actually just the like undo timer expiring.



  • I suppose. But, if I undo a like and it expires, I'm never allowed to like it?



  • Pretty much, since it thinks you've already liked it. I think there's a cleanup process at some point which re-enables it (or clears whatever cache it has) - you might be able to force it with a ctrl+f5, not sure. It's just one of the discourse special features.



  • Enforcing an action with server-side transactional logic. Something I perfected a year out of college, and these guys haven't yet.

    EDIT: I would not have been able to legally drive a car when I made this comment.


  • Discourse touched me in a no-no place

    @delfinom said:

    By way this means you can spam "Spam reports". hint hint

    Yes. I noticed.

    @delfinom said:

    Change the post_action_type_id=2 to an 8 to mark everything as spam instead.

    And rather than annoying the writers of DC, it's annoying me.

    @ChaosTheEternal said:

    It's either 500 posts or 5000, depending on if @PJH set it back or hadn't messed with it since the Likes thread was aiming at 10k posts (or changed it to something else entirely after it was set at 5000).
    It's been slowly creeping down over the past few weeks.



  • @chubertdev said:

    Body is invalid; try to be a little more descriptive

    Just found another bug: try selecting some of that very small text. Now can you find the "quote reply" floaty thing? Hint: [spoiler]scroll up[/spoiler].

    Edit: fucking broken quotes seriously. Here, select some text under 8 small tags:
    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer rutrum purus ut eros pretium vestibulum. Phasellus feugiat dictum mi, a vulputate lacus posuere in. Nam consequat imperdiet sem, vitae mollis mi luctus vitae. Donec quis nunc ac velit auctor blandit. In laoreet vulputate nunc, in gravida arcu sagittis eget. Praesent at velit lectus. Donec facilisis posuere semper. Mauris quam risus, sagittis id mattis eget, commodo viverra elit. Sed bibendum condimentum ipsum, sit amet mollis erat hendrerit a. Donec a mollis massa. Aliquam erat volutpat. Aliquam rhoncus auctor sagittis. In tristique in leo blandit cursus. Suspendisse a elit ipsum. Pellentesque adipiscing mi eu ipsum convallis, nec volutpat libero rhoncus. Proin pulvinar, lorem semper condimentum pulvinar, lacus mauris posuere ipsum, sit amet tincidunt turpis arcu at tortor. Donec vel justo ut eros porta tincidunt. Fusce viverra, quam eu mattis facilisis, tortor ante semper justo, sed porta urna purus in quam. Phasellus mattis rutrum commodo. Duis nec eleifend leo. Nam sollicitudin consectetur augue sit amet vulputate. Aenean rhoncus nisi ac pellentesque consectetur. Ut interdum quis quam vitae ultricies. Sed vitae orci vel quam mollis condimentum a eget libero. Phasellus pellentesque aliquet velit. Sed dapibus consectetur massa nec luctus. Sed ante neque, malesuada dapibus rhoncus eu, mattis sollicitudin sem. Morbi tempus, tellus tincidunt aliquet tristique, dui eros condimentum felis, ac adipiscing purus nulla sit amet ante.

    Wait, why is this next paragraph text slightly larger?



  • Days since last Discourse bug : 0


  • 🚽 Regular

    @anonymous234 said:

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer rutrum purus ut eros pretium vestibulum. Phasellus feugiat dictum mi, a vulputate lacus posuere in. Nam consequat imperdiet sem, vitae mollis mi luctus vitae. Donec quis nunc ac velit auctor blandit. In laoreet vulputate nunc, in gravida arcu sagittis eget. Praesent at velit lectus. Donec facilisis posuere semper. Mauris quam risus, sagittis id mattis eget, commodo viverra elit. Sed bibendum condimentum ipsum, sit amet mollis erat hendrerit a. Donec a mollis massa. Aliquam erat volutpat. Aliquam rhoncus auctor sagittis. In tristique in leo blandit cursus. Suspendisse a elit ipsum. Pellentesque adipiscing mi eu ipsum convallis, nec volutpat libero rhoncus. Proin pulvinar, lorem semper condimentum pulvinar, lacus mauris posuere ipsum, sit amet tincidunt turpis arcu at tortor. Donec vel justo ut eros porta tincidunt. Fusce viverra, quam eu mattis facilisis, tortor ante semper justo, sed porta urna purus in quam. Phasellus mattis rutrum commodo. Duis nec eleifend leo. Nam sollicitudin consectetur augue sit amet vulputate. Aenean rhoncus nisi ac pellentesque consectetur. Ut interdum quis quam vitae ultricies. Sed vitae orci vel quam mollis condimentum a eget libero. Phasellus pellentesque aliquet velit. Sed dapibus consectetur massa nec luctus. Sed ante neque, malesuada dapibus rhoncus eu, mattis sollicitudin sem. Morbi tempus, tellus tincidunt aliquet tristique, dui eros condimentum felis, ac adipiscing purus nulla sit amet ante.

    Google Translate said:

    Lorem ipsum dolor sit amet pretty easy. The United States as a random sample of the pure price of manufacturing. Welcome to my newspaper said, the guys put in the lake. For a lot of development financing, soft life, my life mourning. You can now author and outdoor attractions. They faced the guys now, the designers need a bow with arrows. It's at best a bed. You can always put up. Than the laughter of the world's largest, arrows that a lot of needs, suitable cartoon right now. But drink to improve the game, it is important to ground was soft from the Bureau. We are a soft mass. Retailers. Cable TV and competitive shooting. In the course of the afternoon floating in the refrigerator. Users of the information itself. Ministry of Commerce, my outage to grow strong, nor a wide range of technology-free. Mid-China, lorem is always to improve the state box, the lake is to create a set to itself, it is important to start the scene but the torturer. Unfortunately, just as the United States or the gate manually. Clinical education, the computer what a lot of antioxidants, before the temperature is always just, but the pure on how to push the gate. It happens to a lot of Apple's revenue. It's not the obvious solution. The main research is currently available online. If not and your kids a wide range of information on the main. In order that it's just sometimes a man than of life. But the development of life from the United States to improve how soft or free. It happens overnight trading block. But the main mass of the protein and grief. But before all, nor, protein advising a wide range of football,'re on salad. Diseases of the time, patients start trading the tank,, more here to improve the cats, and no pure storage, it is important to start with.
    Initially I just wanted to translate this tidbit: @anonymous234 said:
    dui eros condimentum felis
    Google Translate said:

    Pakistan peanut sauce recipes
    I still think it's something to do with condimenting cats.


  • @Matches said:

    I think you can replicate this by clicking the like button multiple times. I keep seeing the 1 person likes this, like it too, but my timing sucks and I'm over clicking negating both likes.

    This seems to work. It takes a few attempts, but it's fairly reproducible. (And much ... more convenient than messing with JS or curl.)



  • Now that it's fairly reproducible, the real question is can we add it to the like script somehow 😃


  • ♿ (Parody)

    @cvi said:

    This seems to work. It takes a few attempts, but it's fairly reproducible. (And much ... more convenient than messing with JS or curl.)

    So a race condition between Like and Undo Like requests?



  • @boomzilla said:

    So a race condition between Like and Undo Like requests?

    Ha, that's exactly what it is. I just double-liked your post.



  • According to Sam the postgres unique constraint is being broken because null is being set when the like is removed, allowing the dupe from the race condition. He's proposing a fix, so have your fun now.


Log in to reply