- 🇺🇸United States tr Cascadia
Also, this needs to now be put into an MR so that it can be tested by the automated testing system. Patches are no longer supported on drupal.org.
Voting API config form suggests that there is a rollover window that you can choose in order for anonymous (and registered) users, to cast multiple votes (re-cast a new vote without deleting the old one) from the same source (the IP address originally, e.g. internet cafes, schools, compagnies), after the rollover window ends.
But in fact, Voting API never uses them either for anonymous or registered users. I would consider this as a major issue if it was described on the module's page.
<!--break-->It's even more confusing, when you can see the description of these settings saying
Setting this to 'never' will eliminate most double-voting
when there is actually no 'never' option.
In fact, there are even some issues already openned about the missing 'never' option, and that having a '0 minute' option would be great :
#2791129: Vote rollover settings are missing the "Never" option →
#3055835: Vote rollover should have an option for "- no rollover -" →
There also is an issue about the fact that different anonymous users on the same network cannot vote more than 1 time and suggests to use a different source than IP address ( ✨ Allow multiple votes from anonymous users on a shared IP address Needs review ), while using a different source than the IP address is a possible solution, using the Drupal's session is easily bypassable by just restarting the web browser (as stated in the #7 comment of the mentioned issue).
I created this issue to regroup all those kind of issues in the same place so we can finally fix them and may be have a stable module.
First of all, I think that having an "Immediately" and a "Never" options for the rollover window, are a must have :
- "Immediately" : for compagnies' internal projects with a lot of votes at the same time, where you except well-behaving users and you don't want to prevent several users from being considered as the same one within even a short rollover window.
- "Never" : for projects where registered users can only vote one time.
Then, of course, the rollover window must be used in the code, but unlike in this issue :
#2791129: Vote rollover settings are missing the "Never" option →
I think it would be better to handle it in the VoteStorage::getUserVotes, because eventually, after the rollover window ends, a user from the same source is indeed considered as a different user, and while deleting the vote in the Vote::preSave would avoid double-voting, you would still see old votes being yours after the rollover window has ended, which we do not want
And finally, having different source's options would be a great addition, and while using the Drupal's session as a vote source is not a great idea, creating a randomly generated token stored in a cookie is really good, in fact, having a source that combine the IP address + a long duration cookie would be a great solution.
1. You have an internal project to your compagny where anonymous users can vote on a poll only one time, but because they all have the same IP address, you can't rely on it, instead you switch to the "cookie" source, and set the rollover to a high value (i.e. 1 week), so, if by any chance, a user ends up genarating the same cookie as another user (which should not happens soon), the user would still be able to vote.
2. You have a public project that is subject to a lot of users and is potentially open to spam/attack where anonymous users can vote, but you don't excpect user on the same network to vote, because relying on the cookie would be too dangerous, instead you switch to the "ip" source and choose a moderated rollover value (i.e. 1 day).
3. You have a public project where anonymous users can vote and you except that users from the same network to vote, but you wan't to avoid the maximum amount of double-voting, so you choose "ip + cookie" coupled to a low rollover value (i.e. 5 minutes).
Of course, as soon as you open your database to anonymous write without moderation, there is no perfect solution.
But, in my opinon the, "ip + cookie" source and a low rollover value combo is the best solution at the moment (if you want anonymous user to be able to vote), as not only it prevent double-voting from the same IP, but also prevent double-voting from the same device (by switching from Wi-Fi to 4G, going from your home to your work network, or using a VPN), but it still alows different users from the same network to be able to cast vote after the rollover window ends.
A possible amelioration would be to define several rollover windows for each source, so you could have low value on the IP and high value on the cookie, so users from the same network don't have to wait long to cast a new vote, and user from the same device that have forgotten if they have already vote, would not be able to double-vote before a longer time. But such a solution would need a lot more change in the module.
I'll attach my patch in a futur comment, and mention this issue in the related issues, to focus on a better solution here.
Needs work
4.0
Code
The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
Also, this needs to now be put into an MR so that it can be tested by the automated testing system. Patches are no longer supported on drupal.org.