dPoll development updates: Result filtering and voting audits

in #utopian-io6 years ago


See it online at dpoll.xyz, and the source code at github repository.


dPoll is a poll application on the top of STEEM blockchain. It utilizes an account based voting and stores poll and voting data on the blockchain. It's currently ranked at #4 at steemapps by usage numbers.

Result filters

Dan's latest poll brought some questioning about account based voting. In order to eliminate multi account voting abuse, we have implemented result filters in the poll detail page.

It's possible to filter voters by

  • Minimum reputation
  • Minimum STEEM power
  • Minimum account age in days
  • Minimum post count

If you have something big to decide and act according to a poll you have created, you can use these filters to exclude 0 SP/0 activity accounts.

We didn't want to limit people to vote. So, as a poll owner, you can't set restrictions for your potential voters. Every account can vote, and the default view doesn't exclude any accounts. However, you can filter/exclude the results based on the parameters you set.

Related pull requests:

Auditing votes

dPoll uses main posts as polls, and comments as votes. Whenever you post a poll, a secret json metadata is written to the blockchain. That's the same with votes.

People may delete the comment from Steemit. This operation doesn't actually delete the comment but sends a signal that it's deleted. The comment operations still stay in the history of the blockchain, However,get_content_replies doesn't return the deleted comments.

People may edit the comments with alternative Steem apps. These apps may hijack the json_metadata, therefore removes the voting_data when they're used for editing.

see Auditing dPolls.

In order to make the auditing process easier, we have started storing corresponding transaction ids and block numbers for each vote.

There is also a public table available for each poll (accessible via the audit button in the detail page).

Related pull requests:

Defensive broadcasting logic on votes


The previous logic on dPoll votes was:

  • Register the vote in dPoll's internal database
  • Sync the vote to the blockchain

However, this was causing some problems. Due to a really rare hiccup on Steemconnect, we were seeing some votes exists on dPoll but not on the blockchain. For the reference, on this huge poll, this issue happened on two votes.

We have updated the logic to behave more defensively. We register the vote to the database if only we get a successful response from the Steemconnect.

Related pull request:


Current activity levels

dPoll is ranked at 4 on steemapps. On stateofdapps we are at number 17.

Without any huge delegations, it's amazing that we generate that level of activity in the blockchain.

Thanks to our community and sponsors for the support. Our curation account is @dpoll.curation. You may consider delegating to that account to support the project.

Vote for my witness

I do my best to support the blockchain with my skills. If you like what I do, consider casting a vote on via Steemconnect or on steemit.com

Sort:  
  • Good article with images, code samples and explanations.
  • Code could use more comments.

Your contribution has been evaluated according to Utopian policies and guidelines, as well as a predefined set of questions pertaining to the category.

To view those questions and the relevant answers related to your post, click here.


Need help? Chat with us on Discord.

[utopian-moderator]

Thank you for your review, @helo! Keep up the good work!

ǝɹǝɥ sɐʍ ɹoʇɐɹnƆ pɐW ǝɥ┴

This is a speedy and quality update to the system, nice one! :D

Impressive work and data to strengthen the outcomes of the results. Amazing that you were able to do in such short time!

Posted using Partiko iOS

This is an amazing work @Emrebeyler and the entire @dpoll team. These restrictions is a good way to sanitize the blockchain to really bring out the value it stands for. It is quite sad how people would always be on readiness to abuse others' intellectual capacity.

My suggestion:

I would advise that you also help the dpoll creator to limit voters by the level of acitvity of the accounts. SOme idle accounts may just be created for such purposes. This implies that an account that has not been active for a few days past should not just become active for the purpose of voting. ANy account that should participate must be active at least in the last 7 days before being eligible. The reputation, age, no. of posts can still be abused, but the level of account activity would rarely be.

Goodluck!

Meanwhile, thanks to @Theycallmedan for really spicing the value of @dpoll

Hi! How can I vote for this app in the rank?

I was watching the #89 pull request, maybe if you add a validation before the loop asking for all the variables equal to zero , you could avoid the entire loop (if 0 is the default value of all the field will be usefull).

I dont know python language, and I supous that the cast and try is enough, but is possible to use Sql injection in this kind of forms?

Best regards!

Yes, good catch. Code can be refactored into using SQL instead of traversing all available votes.

Wait, I was talking about a vulnerability called "sql injection", it's a way to introduce malicious sql code in a human filled form.

If you have a field that is concatenated in a sql query, some like:

query = "SELECT * FROM USERS WHERE SP > " + sp;

If I put this in the field:
[1 select password from users --]

I can execute sql code in your app. Even if you use a read/write connection, the code could contain some "drop table " or "drop database". Take a look of this:

Ah, no. Not even close to being vulnerable to SQL injection :)

https://github.com/emre/dpoll.xyz/blob/master/dpoll/polls/utils.py#L271

Also, Django ORM prevents SQL injection attacks with prepared queries as long as the library user doesn't execute raw queries.

The real problem with the current implementation is that the app gets all votes then filter them in a for loop. That doesn't matter in such a small scale like dPoll's but it should be done on database level. (more efficient and less code.)

Perfect! Are you able to use linq to retrieve a filtered dataset in python?

I enjoyed voting on dpoll a few times. I wish we had something like dpoll when some of the important details for the previous hardforks were being discussed.

I foresee dPoll playing a critical role in gauging community sentiment on future upgrades to the Steem blockchain.

Voted for your witness!

Thank you for the witness vote. Much appreciated. :)

Thank you for this useful update

Thank you so much for participating the Partiko Delegation Plan Round 1! We really appreciate your support! As part of the delegation benefits, we just gave you a 3.00% upvote! Together, let’s change the world!

Hi @emrebeyler!

Your post was upvoted by @steem-ua, new Steem dApp, using UserAuthority for algorithmic post curation!
Your post is eligible for our upvote, thanks to our collaboration with @utopian-io!
Feel free to join our @steem-ua Discord server