We found a mismatch between the frontend and backend validation when using the ban researcher feature, available for program customer.
When a program customer issues a ban, an automatic email will be send both to the banned user and H1 support. The problem is that fronted will not allow us to make the request again as the button will be inactive. However the backend allows us to repeat the request many times. Thus, we can send a lot of messages to the banned user and to the H1 platform (moderators), although this should only be allowed once . This report is similar #156948 and #159512 where @andrewone says :
it does demonstrate a disconnect between our frontend and backend validation, which should not happen in the first place.
1) As the user we want to ban, submit a test report
2) As a manager of the program, go to the report and click
report abuse => click
3) Intercept the request
POST: X-CSRF-Token: you_token_:)`
ban report , We will see an inactive button
4) Re-issue the request multiple times 5) As the banned user, check your inbox - you should have received multiple emails, as the support did.
Spam banned users and H1