You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
By default, the tuple (user_id, proposal_id) is not UNIQUE on votes table. This makes ActAsVotable vulnerable to race condition, where the same user can vote twice (or more) the same proposal.
ActAsVotable code:
votes = find_votes_by(options[:voter], options[:vote_scope])
if votes.count == (0) || options[:duplicate]
# this voter has never voted
vote = ActsAsVotable::Vote.new(
votable: self,
voter: options[:voter],
vote_scope: options[:vote_scope]
)
else
# this voter is potentially changing his vote
vote = votes.last
A thread can request database if a voter have already voted a proposal while the first thread have not executed insert statement yet leading to a race condition where the database responds votes.count = 0, the second thread will then enter into the condition and insert a second register because the database definition permits this behavior by default.
The text was updated successfully, but these errors were encountered:
dreadlocked
changed the title
Race Condition due to lack of UNIQUE constrain on "votes" table
Race Condition due to lack of UNIQUE constraint on "votes" table
Feb 1, 2018
By default, the tuple (user_id, proposal_id) is not UNIQUE on votes table. This makes ActAsVotable vulnerable to race condition, where the same user can vote twice (or more) the same proposal.
ActAsVotable code:
A thread can request database if a voter have already voted a proposal while the first thread have not executed insert statement yet leading to a race condition where the database responds votes.count = 0, the second thread will then enter into the condition and insert a second register because the database definition permits this behavior by default.
The text was updated successfully, but these errors were encountered: