[2.1]: Feature request - ability to disable public access to likes list #9112
Description
Basic Information
Hello.
I would like to request a new option in the SMF 2.1 likes system:
ability to hide the list of users who liked a post from guests (non-logged users).
Discussion on this topic:
https://www.simplemachines.org/community/index.php?topic=593808.0
Bots are abusing action=likes;sa=view to generate massive session creation and error logs. SMF 2.1 needs an option to prevent guests from accessing the likes list without breaking functionality for logged users.
The only current mitigation options are:
blocking via .htaccess:
https://www.simplemachines.org/community/index.php?msg=4192411
removing links from templates
manually modifying Likes.php
https://www.simplemachines.org/community/index.php?topic=593808.msg4198896#msg4198896
Behaviour
When disabled (recommended default):
guests cannot access action=likes;sa=view
the link to the likes list is not shown to guests
optionally show a message:
You must be logged in to see who liked this post
This would eliminate the botnet attack vector while preserving flexibility for administrators who want public likes visibility.
SMF 2.1 should include this protection because bots already know and target the likes endpoint.
Steps to reproduce
Expected result
No response
Actual result
No response
Version/Git revision
2.1.6
Database Engine
MySQL
Database Version
No response
PHP Version
No response
Logs
Additional Information
No response