I know that you are not obligated to support Pressflow but let me ask if you can help me to make this module works with Pressflow. The main issue I'm having is allowing anonymous users to vote. It seems that vote up/down is asking for a token based on session_id when a user votes, but pressflow doesnt store anon sessions in db so the validation on voting is failing. Is there any way to base anonymous votes on cookies and not on drupal sessions?

Files: 
CommentFileSizeAuthor
#32 0001-feature-request-67256-follow-up-by-catch-marvil07-re.patch2.74 KBmarvil07
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 0001-feature-request-67256-follow-up-by-catch-marvil07-re.patch.
[ View ]
#28 vote_up_down.672566.patch1.79 KBcatch
FAILED: [[SimpleTest]]: [MySQL] 107 pass(es), 8 fail(s), and 21 exception(es).
[ View ]
#19 vote_up_down-pressflow-anon-sessions-672566.patch1.22 KBnibblebot
PASSED: [[SimpleTest]]: [MySQL] 2 pass(es).
[ View ]

Comments

David Strauss’s picture

As a note from the Pressflow team, we'd normally consider this sort of incompatibility a total bug on the Pressflow side. But in this case, we can't fix the incompatibility without removing the session optimization. As importantly, modules must fix this issue in order to offer a Drupal 7 version. So we are putting the burden on module maintainers to fix this quite rare compatibility issue, even though we're happy to provide help in the work to do so.

You may want to see this issue, which solves an identical issue in the Mollom module:

https://bugs.launchpad.net/pressflow/+bug/432090

joshk’s picture

Luckily I am a maintainer on Vote Up/Down. I think I can take care of this one. :)

lut4rp’s picture

Version:6.x-1.x-dev» 6.x-2.x-dev

joshk, that would be great, I'm being burdened down by heavy exam artillery. Also, I would want this to go in 2.x rather than 1.x, 2.x being the version that will be supported in the future.

BenK’s picture

Subscribing...

tranquille’s picture

^^ that

BenK’s picture

Just checking in to see if there have been any developments on this...

--Ben

chawl’s picture

VUD and Pressflow are terrific, but this issue is tragic.

Subs.

tranquille’s picture

@joshk
any news on this topic?

thanks in advance

JeebsUK’s picture

Does anyone know if the Poll/Advanced Poll module operate in the same way as the vote up/down, I'm having the same sort of problems with pressflow (in that anonymous poll voting does not seem to be working).

thebuckst0p’s picture

subscribe

kerberos’s picture

Subscribing as well.

david.lippi’s picture

Subscribe.

gausarts’s picture

About to deploy pressflow, and have to hold for this one :( Finger crossed. Thanks

asb’s picture

subscribing (after moving to Pressflow ;)

Donaldd’s picture

subscribing

jcisio’s picture

Subscribing...

FYI the patch and the issue in Mollom http://drupal.org/node/562374#comment-2389170
Quick: use $_SESSION for session data.

chrism2671’s picture

Subscribing.

nibblebot’s picture

Category:support» feature
Status:Active» Needs review
StatusFileSize
new1.22 KB
PASSED: [[SimpleTest]]: [MySQL] 2 pass(es).
[ View ]

Used similar code to http://drupal.org/node/562374#comment-2389170 to store a timestamp in the Session which we expire in 30 minutes.

develCuy’s picture

Status:Needs review» Reviewed & tested by the community

The patch works nicely, the issue with sessions is not only with Pressflow but Drupal 7 also, so guess that it needs a port.

fcedillo’s picture

i have tested the patch and confirm that it solves the issue.

marvil07’s picture

Status:Reviewed & tested by the community» Fixed

Thanks for the patch, the suggestion and the review.

After taking a look/try the last patch, references and marking #753478: Anonymous user can not vote: "Oops! There was an error in submitting your vote!" as duplicate, I commit this to 2.x and 3.x.

Finally preparing the rc1 release!

nibblebot’s picture

great! would be interested in alternative to drupal_get_token() that does not require a session cookie. Maybe leave another cookie with a hash if they do not have a session cookie and then write a wrapper function for drupal_get/set_token() that will return a non-session token or a session token depending on whether they have the session cookie.

jcisio’s picture

@nibblebot: even I think that session cookie is the best way for token, maybe it could be done better. File an issue in the Drupal project if you want.

nibblebot’s picture

yeah, after further thought, I think session cookie is the best solution. Any other solution would still require access to your Drupal DB which means you might as well use the session anyway.

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

catch’s picture

Category:feature» bug
Priority:Normal» Major
Status:Closed (fixed)» Needs review
StatusFileSize
new1.79 KB
FAILED: [[SimpleTest]]: [MySQL] 107 pass(es), 8 fail(s), and 21 exception(es).
[ View ]

When there's an anonymous user session, Pressflow disables page caching across the entire site. Since the vote up/down widget is often displayed on most pages, this means the current code effectively switches page caching off altogether if you have Pressflow installed.

Rather than starting a session, it's just a case of passing $skip_anonymous = TRUE to drupal_valid_token() - the token checking is here for CRSF protection, anonymous users don't need protection against that - if you wanted to do mass voting there are much easier ways to do so.

Attached patch does this, but also leaves a hunk in there to remove the session variable if it's there - that means that anonymous users on sites that are already running this code will eventually have their session cleaned up, it'd need to be removed in a future release.

I confirmed that anonymous voting works with this patch applied, although more testing obviously welcome.

Status:Needs review» Needs work

The last submitted patch, vote_up_down.672566.patch, failed testing.

catch’s picture

Status:Needs work» Needs review

It seems very unlikely the test failure was caused by the patch, setting back to CNR.

jcisio’s picture

Status:Needs review» Reviewed & tested by the community

Tested on Pressflow and it works. Anonymous can vote. However, they can't vote twice. Maybe it's because of the reverse proxy (but poll.module works), I think it's rather VotingAPI issue.

marvil07’s picture

Category:bug» feature
Status:Reviewed & tested by the community» Needs review
StatusFileSize
new2.74 KB
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch 0001-feature-request-67256-follow-up-by-catch-marvil07-re.patch.
[ View ]

Thanks for the new patch, it is great to know that we can avoid session :-)

I was working on another issue: #900532: Anonymous voting does not work with core normal cache and I end up with the same solution for it some days ago. So I was tempted to mark this as duplicate one of them :-p, but it seems like we need two things: revert the originally committed patch about this and use skip_anonymous for drupal_valid_token function. ut, again, the workaround for people already using the last two releases with the patch in is a good solution.

@catch: you just also answered my question at #900532-6: Anonymous voting does not work with core normal cache

So, here it is the patch that merge work from both issues(there is another use of drupal_valid_token function at reset link) and I will commit it after a review. I already test it on normal drupal and pressflow, and works fine ;-)

Status:Needs review» Needs work

The last submitted patch, 0001-feature-request-67256-follow-up-by-catch-marvil07-re.patch, failed testing.

marvil07’s picture

Status:Needs work» Needs review

Oopps, the patch should be applied with -p1 (bot only recognize patches for -p0). In the other side, it seems like the bot is not supporting dependencies? (various fails at catch last patch).

Moving back to CNR

catch’s picture

This looks good, I'm not sure about the status of dependencies with the bot - do the test cases explicitly enable the dependencies in setUp()?

marvil07’s picture

Status:Needs review» Fixed

The last patch is committed to 2.x and 3.x.

@catch: We have this as the 1st line on setUp():

<?php
parent
::setUp('votingapi', 'ctools', 'vud');
?>

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

amitaibu’s picture

Version:6.x-2.x-dev» 7.x-1.x-dev
Status:Closed (fixed)» Needs work

As I'm working on the port to 7.

@catch,
Right now, without the $_SESSION, how do we make sure same user can't vote numerous times?

catch’s picture

Hmm, that's a good point.

You could set something in $_SESSION when a user actually votes, then check it later. They'll get page caching disabled for 30 minutes if they vote, but that's a lot less people than anyone who happens to view the voting widget at all.

Could also use something other than $_SESSION like a custom cookie with 30 minute expire.

amitaibu’s picture

> like a custom cookie with 30 minute expire.

Maybe it's better, as like this we gain click-gurad & caching; although a malicious user can remove cookies and start clicking.

catch’s picture

If you remove cookies you also remove the session cookie, that's roughly the same either way.

Another approach would be using the core flood control table - you could do that via IP address or similar, would still only happen if someone actually votes.

amitaibu’s picture

> core flood control table

I think we should take that path. If the user is anon, we register an action on the entity and option (up / down). And upon "reset vote" we can remove the flood records.

amitaibu’s picture

Ok, I've checked and infact voting API is taking care of it -- it didn't work in D7 due to #1189242: Votes for anon users are not deleted correctly.

marvil07’s picture

Version:7.x-1.x-dev» 6.x-2.x-dev
Status:Needs work» Closed (fixed)

Based on last comment, moving to old state.