gs-odrs-provider: Fix voting and reporting reviews (!1292) · Merge requests · GNOME / gnome-software

Philip Withnall requested to merge pwithnall/gnome-software:1010-odrs-fixes into main Mar 11, 2022

This is almost entirely based on an investigation by Milan Crha, who deserves the credit for this fix: #1010 (comment 1405055).

The user_skey returned by the server when calling fetch is a hash of the client-provided user_hash and the app_id of an app. In order to vote for or report a review, the user_skey which was returned by the server for that review has to be re-sent to the server by the client, along with the app_id and user_hash.

Due to the use of compat_ids to link together reviews from multiple IDs for the same app (for example, org.gnome.Weather, org.gnome.Weather.desktop and org.gnome.Weather.Application.desktop), different reviews for the same app may have different associated app_ids.

You’d think that the user_skey to be sent to the server to vote for a given review should be a hash of the app_id associated with that review, but it’s not. It’s actually a hash of the app_id originally used to request the reviews from the fetch endpoint.

So use that app ID, rather than the one listed against the review.

An alternate server-side fix is Infrastructure/odrs-web!15 (merged), but this change will break that one.

Signed-off-by: Philip Withnall pwithnall@endlessos.org

Fixes: #1010 (closed)

Closes #1010 (closed)

Edited Mar 11, 2022 by Philip Withnall

gs-odrs-provider: Fix voting and reporting reviews

Merge request reports