Details
-
Bug
-
Resolution: Obsolete
-
Medium
-
None
-
4.4.0
-
None
Description
site ini has
# eZ Publish session handler (class name) # When empty uses ezpSessionHandlerPHP, a session handler that lets php remain in control # of the session handling (def: files, as defined by session.save_handler in php.ini) # To get back old behavior for logged in/anonymous count & session clearing, use ezpSessionHandlerDB # and enable ForceStart setting. Handler=
This causes, that when ezsrServerFunctions::rate function checks session->hasSessionCookie it return false and rate function exits, because it is treated as spamers' attack.
// Provide extra session protection on 4.1 (not possible on 4.0) by expecting user // to have an existing session (new session = mostlikely a spammer / hacker trying to manipulate rating) if ( class_exists( 'eZSession' ) && eZSession::userHasSessionCookie() !== true ) return $ret;
Steps to reproduce
1. new instalation of ezpublish 4.4
2. try rate anything as anonymous