Fixed Commenting on a report allows duplicates / doesn't do flood checking


Well-known member
XenForo_ControllerPublic_Report::actionComment doesn't use preSave()/assertNotFlooding()/save() combo that nearly all other public forms do. This means very basic flood protection doesn't occur so accidently doubleposts are possible.

Additionally, when a report is reopened this state is set independently of the report comment transaction resulting in potentially inconstant report state if the request is terminated.


XenForo developer
Staff member
I'm not totally sure what to tag the resolution of this report.

The flood check isn't really designed as an anti-duplicate system, though it does function as that. It's mostly to limit potentially negative behaviors (flooding). In this scenario, this is only accessible to staff, so I don't think that flood checking is necessary. However, applying a duplicate mitigation isn't unreasonable, so I've just applied our JS-based multi submit fix code which should stop a double click, for example. I think I'm going to call this fixed because the comment was mostly surrounding duplicates.

I've also wrapped the commenting code in a transaction, though I don't believe there's any reason it should fail out of the box (beyond things like DB-level issues).