Favorite Tag: Possible to favorite non-canonical tag

Description

Overview
Users are only supposed to be able to favorite canonical tags, as they're the ones with work listings. (And if a tag is de-canonized, it is removed from people's favorites.) However, if you can find the tag_id of a non-canonical tag, you can sneakily add it to your favorite tags.

Steps to reproduce
1. Log in as a tag wrangler
2. Browse > Tags > New Tag
3. Fill in a name for the tag
4. Check the canonical checkbox
5. Choose a tag type
6. Press Create Tag
7. Where the page says "Edit [Tag name] Tag," follow the name of the tag to go to the tag's landing page
8. Follow the Works link
9. Using your browser's developer tools, inspect the Favorite Tag button and note the value attribute in the part that looks like: <input type="hidden" value="1217412" name="favorite_tag[tag_id]" id="favorite_tag_tag_id">
10. Where the page says "0 Works in Steps to reproduce," follow the name of the tag to go to its landing page
11. Follow the Edit link
12. Uncheck the canonical checkbox
13. Press Save changes
14. Wait a few minutes
15. Follow Browse > Tags
16. Click a tag's name to go to its works page
17. Using your browser's developer tools, inspect the Favorite Tag button and replace the value of the tag you're currently looking at with the value of the tag from step 9
18. Press Favorite Tag

You could also
(a) get a non-canonical tag's tag_id from the database and follow steps 15-17
(b) open a canonical tag's works page and edit page in separate browser tabs, de-canonize the tag from the edit page, and then press the Favorite Tag button on the work page you already have open

What happens
The success message will tell you you have successfully favorited the non-canonical tag from step 9. Checking your Favorite Tags on the homepage will show the tag.

What should happen instead
You should get a red error message saying, "Sorry, you can only add canonical tags to your favorite tags."

Testing notes
In addition to following the steps above, please make sure that you still get the proper "Sorry, you can only save 20 favorite tags" error message when attempting to favorite a 21st tag.

Please use Coveralls to check that test coverage of the app/models/favorite_tag.rb file is at 95.24% or greater.

Activity

Show:
Sarken
August 9, 2019, 10:34 PM

Has two not-me testers, so it’s ready for release!

redsummernight
August 9, 2019, 10:12 PM

Confirmed that saving the 21st favorite tag resulted in the error message "Sorry, you can only save 20 favorite tags."

james_
August 8, 2019, 10:28 PM

 

Looks good.

james_
August 8, 2019, 9:28 PM

Visited https://test.archiveofourown.org/tags/Gundam%20Wing/works

Used developer tools edited:
<input type="hidden" value="5032" name="favorite_tag[tag_id]" id="favorite_tag_tag_id">

to

<input type="hidden" value="56" name="favorite_tag[tag_id]" id="favorite_tag_tag_id">

Looks good.

redsummernight
August 4, 2019, 6:45 PM

Bunch of non-canonical tags for testing:

  • Visited any work listing for a canonical tag (so we have a "Favorite Tag" button), doesn't matter which. I picked https://test.archiveofourown.org/tags/Orlando%20Bloom*s*Viggo%20Mortensen/works.

  • Using the browser's developer tools, inspected the "Favorite Tag" button and edited the hidden field next to it to be: <input type="hidden" name="favorite_tag[tag_id]" id="favorite_tag_tag_id" value="45">, with 45 being the ID of a non-canonical tag.

  • Pressed "Favorite Tag".

  • Got the error "Sorry, you can only add canonical tags to your favorite tags."

Looks good.

DeployedToBeta

Assignee

Sarken

Reporter

Sarken

Roadmap

Tags

Priority

Lowest

Affects versions

Fix versions

Components

BackEnd

Difficulty

Medium

Milestone

Internal 0.9