fix: prevent voting outside active game lifecycle (#2568)#2589
fix: prevent voting outside active game lifecycle (#2568)#2589pranitaurlam wants to merge 4 commits intoOWASP:masterfrom
Conversation
|
Hi @rewtd @sydseter @cw-owasp, This PR fixes issue #2568 where players could vote on dealt cards outside of an active game by submitting the card ID directly from the browser console. The fix adds a server-side lifecycle guard in handle_event("toggle_vote", ...) that rejects votes when the game hasn't started yet (started_at is nil) or has already ended (finished_at is not nil). No UI changes were needed the guard operates purely on the server side. Happy to make any adjustments. Thanks for reviewing! |
…shed_at nil)
Adds a server-side guard in handle_event("toggle_vote", ...) to prevent
players from voting on dealt cards before the game starts or after it ends.
Votes are now only processed when started_at is set and finished_at is nil.
Fixes OWASP#2568
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add two tests verifying that votes are rejected when the game has not started (started_at is nil) and when the game has already ended (finished_at is set), covering the guard added for issue OWASP#2568. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- DealtCard.find/1 not-found path and changeset - Vote.changeset - toggle_vote delete (vote already exists → remove) - player_live index :edit action - game_live handle_info non-matching topic - game_live handle_params with finished game - player_live next_round when round is already closed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pranitaurlam
force-pushed
the
fix/toggle-vote-game-lifecycle-check
branch
from
a48ad9e to
8b35924
Compare
|
@pranitaurlam , Great effort showed but iam already working on this issue and you should be assigned first to work on someone's issue and i had already mentioned that iam going to work on this issue, Please Close this PR and ask before working on the issue, there are many other issues as well that are not fixed for a long time try getting assigned before working on it, i was supposed to make this PR i was just waiting for it to get assigned and was working on it simultaneously |
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
@pranitaurlam , #2591 i have added the PR for My rasied issue #2568 , please close ur PR and Ask before taking someone's issue |
3 participants
Summary
handle_event("toggle_vote", ...)inplayer_live/show.exgame.started_atis nil (game not started) orgame.finished_atis not nil (game already ended)toggle_vote rejected: game not activeFixes #2568
Test plan
toggle_voteevent from the browser console — confirm no DB change occurs and warning is loggedtoggle_voteevent from the browser console — confirm no DB change occurs and warning is logged🤖 Generated with Claude Code