Chat ban based on username rather than user id #323
Description
It's been reported on Get Satisfaction that users can avoid the chat ban by changing their usernames. I dug around a bit and found that chat bans are stored in Redis as a pair like so: banned-#{user_id}:banned. Unfortunately, instead of using the user ID, it uses the username. Therefore it's trivial for users to un-ban themselves (and this is happening). I tried to track down the source of the problem but got lost in all the PubNub.
I also noticed that a the user ID for the sending of a message comes from the client side, rather than taking it from current_user.id. Thus, it's possible to pretend to be any user by opening the DOM inspector and changing the user ID of the hidden form field. See chat_controller.rb and live_quiz.html.erb.
I would also suggest linking user's names in the chat to their profile (making it much harder to impersonate someone effectively, which is happening).
I'd try fixing these myself, but the development machine I normally use is not with me and I'm not sure if I would succeed in running quizzes and working with PubNub (plus being swamped with other things at the moment).