ppy / osu-web

the browser-facing portion of osu!
https://osu.ppy.sh
GNU Affero General Public License v3.0
980 stars 384 forks source link

Probably shouldn't be able to bypass the minimum play count requirement when posting to forum/chat/etc #6688

Open nekodex opened 4 years ago

nekodex commented 4 years ago

(discussion extracted from #6684, which added the ability to toggle the bypass)

Not sure if we ever really want 'verified' to be allowed to bypass the minimum play count?

Digging through the history on OsuAuthorize, it seems like the verification bypass was put there to allow chat from the API(lazer) and InterOp(bancho) endpoints to work (not sure if it was intentional to bypass the min playcount though?) (ref: #5352, maybe @nanaya can confirm?)

This brings up the question as to what the actual behaviour should be for new users attempting to chat in-game, or new users who exclusively play on lazer (which afaik doesn't update playcount)?

peppy commented 4 years ago

The intention was to support lazer, but if we limit the restrictions to just lazer it's only a matter of time before the abuse begins to hit the lazer API endpoint rather than the web chat API endpoint.

notbakaneko commented 4 years ago

If the bypass is there to support lazer, we're going to need some other way of identifying if lazer has been used, or, lazer is going to have to be included in the playtime or playcount in some form.

notbakaneko commented 4 years ago

The play time requirement was changed to minimum play count / verification because of #5348, but as mentioned here https://github.com/ppy/osu-web/issues/5348#issuecomment-559326527, it's no use for compromised email accounts.