Karl (supersat) wrote in lj_dev,
Karl
supersat
lj_dev

/htdocs/support/act.bml bug and patch

Currently, /htdocs/support/act.bml has a bug that allows you to close a request with crediting any supportlog entry, such as answers that weren't in reply to the request, screened answers, comments, and internal comments.

This issue was brought to my attention when asciident wondered why terytaya was award 0 points for this support request (#28958). terytaya didn't even submit an answer/screened answer/comment/internal comment for that request.

This is likely what happened:

The user's question was answered by asciident with supportlog id 104919. The user received an e-mail from LiveJournal asking her to close the request if her question was answered. The user then copied the URL and pasted it into her web browser, but left off the last digit of the closure URL. So, instead of entering in:

http://www.livejournal.com/support/act.bml?close;28958;authcode;104919

they entered:

http://www.livejournal.com/support/act.bml?close;28958;authcode;10491

If you look at support request #2802, terytaya made an answer with supportlog id 10491.

Since the answer was made before the request, LJ::Support::calc_points returned a negative point value. Since the points column in the supportpoints table is an unsigned tiny integer, the negative value was stored at 0 in the database.

I've made a patch which fixes act.bml so it'll only let you credit an answer that was in response to the request you're closing. Also, only answers can be credited. The patch is available from http://www.teencity.org/act.bml.diff.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 13 comments