HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Cheating with DiceRoller

This discussion is related to the Dice Roller addon.
LincLinc Detroit Admin

Hey @ToastyFish, I dunno if you're still maintaining this but I recently had a look at the source at the request of a client. Unfortunately it's easy to circumvent the anti-cheat mechanism with a little HTML. You'll probably want to store the roll value on a separate database column or in the Attributes column, and then show it separately after the body of the comment. That way it isn't editable at all after a roll is made. Attempting to pattern-match what the person types is going to fail no matter how hard you try.

If you have questions about doing that, feel free to post 'em here or start a new discussion and @mention me. Alternatively, if this client contracts us to make the change, I'll pass 'em back to you for the next version.


  • ToddTodd Chief Product Officer Vanilla Staff

    If I were to make a dice roller I'd consider some of the following options:

    1. Don't let the author edit or delete a post that has a dice role in it.
    2. User the post's ID and/or timestamp as a random seed so the numbers generated off the post are always the same.
  • LincLinc Detroit Admin

    Yeah he said elsewhere he didn't want to lock down comments tho, which leaves storing the calculated result separately (and only calculate on inserts, not updates).

  • ToddTodd Chief Product Officer Vanilla Staff

    Man, that's just not advisable. Let's look at this scenario.

    I swing my longsword at that orc (role: 1), uh oh...

    Edit, edit.

    I try and punch myself in the face (role: 1), hurray!

  • "roll play" :P

    grep is your friend.

  • LincLinc Detroit Admin

    Aside from editing, the other issue is just faking a computed dice roll in your original comment.

Sign In or Register to comment.