Limit number of votes on backend

[diegoalzate]

overview

user can use api to vote as many times as he wants

[MartinBenediktBusch]

@diegoalzate the may amount of votes a user can do on a given forum_question should be the max amount of available hearts. For example, currently that number is set to 20. How is it currently possible that a user can vote more than that?

[diegoalzate]

@MartinBenediktBusch this is true, but only enforced by the frontend. If the user finds the api to vote, then he user can in theory vote infinite times.

[MartinBenediktBusch]

Overview

@diegoalzate Here a suggested solution. The solution adds two maxima to the saveVotes function:

• The first one is a maximum maxAllowedVotesPerRequest validate the number of votes a user attempts to submit in each request to ensure to not exceed the allowed limit with a single vote. This check is especially relevant for the first vote.
• The second maxAllowedVotes checks whether a user has already exceeded the maximum number of votes

Proposed solution

export async function saveVotes(dbPool: PostgresJsDatabase<typeof db>) {
  return async function (req: Request, res: Response) {
    const userId = req.session.userId;
    const out: db.Vote[] = [];
    const errors = [];

    const reqBody = z
      .array(
        z.object({
          optionId: z.string(),
          numOfVotes: z.number().min(0),
        }),
      )
      .safeParse(req.body);

    if (!reqBody.success) {
      return res.status(400).json({ errors: reqBody.error.errors });
    }

    const maxAllowedVotesPerRequest = 'some number';
    const totalRequestedVotes = req.body.reduce((total, vote) => total + vote.numOfVotes, 0);
    if (totalRequestedVotes > maxAllowedVotesPerRequest) {
      return res.status(400).json({ errors: [{ message: 'Exceeded maximum allowed votes per request.' }] });
    }

    // Check if the user has exceeded the maximum allowed votes
    const userVoteCount = await getUserVoteCount(dbPool, userId);
    const maxAllowedVotes = 'some other number'
    const remainingVotes = maxAllowedVotes - userVoteCount;
    if (totalRequestedVotes > remainingVotes) {
      return res.status(400).json({ errors: [{ message: 'Exceeded maximum allowed votes.' }] });
    }

    // Rest of the code to save votes...
  };
}

Limitations

I dont like the fact that the two maxima are hard coded. Is there a way to load it through and environemnt variable or set them by the admin?

[diegoalzate]

we could somehow set them in the admin but this would require a new field somewhere. a place to store info