Stream: coqbot devs & users

Topic: Getting around @coqbot's permission checking


view this post on Zulip Ali Caglayan (Mar 25 2022 at 15:17):

@Théo Zimmermann It seems you can edit other peoples posts in order to get coqbot to do something. For example I pinged Maxime's post here and coqbot picked that up. I suppose if I were editing anybody elses post I could add a coqbot command there also. Seems problematic.

view this post on Zulip Ali Caglayan (Mar 25 2022 at 15:20):

The obvious fix is to check the last editor of the post too not just the poster. Or at least reject commands from multiple authored posts.

view this post on Zulip Gaëtan Gilbert (Mar 25 2022 at 15:24):

coqbot should just not look at notifications from edits

view this post on Zulip Théo Zimmermann (Mar 25 2022 at 18:12):

I added support for edited comments after someone complained that edits were not taken into account. But I agree with the problem (with the caveat that you need already to be a somehow trusted member of the community to be able to edit someone else's comments) and I am fine with any solution (dropping support for edited comments or checking that the edit was done by the original author).

view this post on Zulip Théo Zimmermann (Mar 25 2022 at 18:13):

That being said, I realize something else which might also be problematic with taking edited comments into account which is that some commands may be triggered several times because of this (unless we do some smart checking that the command was added in the edit). Therefore, I'm leaning on the side of just reverting the feature.

view this post on Zulip Théo Zimmermann (Mar 25 2022 at 18:47):

I've pushed the revert. This means that a new version without this feature is being deployed. When this is done, the bench feature won't be available anymore until @Ali Caglayan rebases and redeploys his version of the bot.

view this post on Zulip Ali Caglayan (Mar 25 2022 at 18:50):

Rebased and deploying: https://github.com/Alizter/bot/actions/runs/2041700266


Last updated: Jan 31 2023 at 09:01 UTC