Solved duplicate votes issue; Discovered karma exploitation

Exploit - Currently even if you already upvoted you can click the upvote button again, which doesn't add a new vote to the post/comment but *does* add more to the user's karma since there's no check for existing vote value to only add karma for actual changes to votes
koroket · Dec 20, 2014 · 7f3c740 · 7f3c740
1 parent 3d2e07a
commit 7f3c740
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb
@@ -94,6 +94,6 @@ def comment_params
     end
 
     def current_user_existing_vote
-      @vote = current_user.votes.find_by(comment_id: params[:id])
+      @vote = current_user.votes.find_by(votable_id: params[:id])
     end
 end
diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
@@ -111,6 +111,7 @@ def correct_user
     end
 
     def current_user_existing_vote
-      @vote = current_user.votes.find_by(post_id: params[:id])
+      # @vote = current_user.votes.find_by(post_id: params[:id])
+      @vote = current_user.votes.find_by(votable_id: params[:id])
     end
 end