Skip to content

Infinite Subscriptions #9

Description

@theunknownartisthour

This is an active exploit of the points system:
https://www.minds.com/newsfeed/645708969918078985

Here are the two parts of the subscription system:
https://github.com/Minds/front/edit/master/app/src/components/buttons/subscribe.ts

https://github.com/Minds/engine/edit/master/Controllers/api/v1/subscribe.php

In the second part the post function should check if the user isn't already subscribed:

    public function post($pages)
    {
        Factory::isLoggedIn();

        if ($pages[0] === 'batch') {
            $guids = $_POST['guids'];


            Queue\Client::build()
              ->setQueue('SubscriptionDispatcher')
              ->send([
                  'currentUser' => Core\Session::getLoggedInUser()->guid,
                  'guids' => $guids
              ]);

            return Factory::response(['status' => 'success']);
        }

        $canSubscribe = Security\ACL::_()->interact(Core\Session::getLoggedinUser(), $pages[0]) &&
            Security\ACL::_()->interact($pages[0], Core\Session::getLoggedinUser());

        if (!$canSubscribe) {
            return Factory::response([
                'status' => 'error'
            ]);
        }
       /*Need to check if subscribed already:*/
      $alreadySubscribed = false; /*make use of get request above?*/
       if ($alreadySubscribed){
            /*Throw an error? W/ already subscribed message*/
            return Factory::response([
                'status' => 'error'
            ]);
       }
        $success = elgg_get_logged_in_user_entity()->subscribe($pages[0]);
        $response = array('status'=>'success');
        Helpers\Wallet::createTransaction(Core\Session::getLoggedinUser()->guid, 1, $pages[0], 'subscribed');
        if (!$success) {
            $response = array(
                'status' => 'error'
            );
        }

        return Factory::response($response);
    }

Similar solution also needs to be implemented for the delete function*...to prevent users from potentially draining themselves of points.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions