• @[email protected]
    link
    fedilink
    216
    edit-2
    4 months ago

    At my job, we have an error code that is similar to this. On the frontend, it’s just like error 123.

    But in our internal error logs, it’s because the user submitted their credit card, didnt fully confirm, press back, removed all the items out of their cart, removed their credit card, then found their way back to the submit button through the browser history and attempted to submit without a card or a cart. Nothing would submit and no error was shown, but it was UI error.

    It’s super convoluted. And we absolutely wanted to shoot the tester who gave us this use case.

    • @Jerkface
      link
      140
      edit-2
      4 months ago

      Better the tester than a user.

    • @[email protected]
      link
      fedilink
      75
      edit-2
      4 months ago

      And we absolutely wanted to shoot the tester who gave us this use case.

      Why? Because he tested well and broke the software? A user changing their mind during a guided activity absolutely is a valid use case.

      • @[email protected]
        link
        fedilink
        English
        74 months ago

        It’s likely a difference of emotion compared to logic. Emotionally they’d think “Damn it, now we need to check for such a weird specific edge-case, this is so annoying” while logically knowing it’s better the tester caught it.

      • FuglyDuck
        link
        English
        424 months ago

        there’s three qualifications to being a testor:

        Finding stupid ways to break shit, Being able to accurately explain how you broke shit, and being likeable enough that breaking their shit doesn’t make the devs angry.

        • I Cast Fist
          link
          fedilink
          164 months ago

          Being able to accurately explain how you broke shit

          This is the most important part. Or look at systems like SpiffingBrit and Josh (Let’s Game it Out) look at games

            • I Cast Fist
              link
              fedilink
              54 months ago

              That too, but also lots of glitching through walls and, most importantly, “doing everything as wrong as possible”

    • @jaybone
      link
      304 months ago

      Don’t shoot the tester shoot whoever wrote the code (or the framework / library) that got you into this situation in the first place.

    • @takeda
      link
      27
      edit-2
      4 months ago

      If that broke the software it sounds like you have a very good tester.

    • @[email protected]
      link
      fedilink
      194 months ago

      What about the test case where I’m using the browser’s dev tools to re-send http requests in random orders?

  • @CeeBee_Eh
    link
    1454 months ago

    What the user was doing is that they don’t trust that the system truly deleted the account, and they worry it was just deactivated (while claiming it was “deleted”). So they tried to do a password recovery which often reactivates a falsely “deleted” account.

    I’ve done this before and had to message the company and have them confirm the account is entirely deleted.

    • @x00z
      link
      50
      edit-2
      4 months ago

      Many services have a grace period. Mostly it’s 30-90 days where they keep your data, just in case somebody else decided to delete your account or you were drunk or something. But it could also be for legal reasons, like websites where you can post stuff for everybody to see, in case you post something highly illegal and the authorities need to find you. Another example is where a webshop is required to keep a copy of your data for their bookkeeping.

      • @CeeBee_Eh
        link
        144 months ago

        But it could also be for legal reasons, like websites where you can post stuff for everybody to see, in case you post something highly illegal and the authorities need to find you. Another example is where a webshop is required to keep a copy of your data for their bookkeeping.

        None of these require your account to “exist”. There could simply be an acknowledgement stating those reasons with “after X days the data will be deleted, and xyz will be archived for legal reasons”.

        Mostly it’s 30-90 days where they keep your data, just in case somebody else decided to delete your account or you were drunk or something

        This is the only valid reason. But even then this could be stated so that the user is fully aware. Then an email one week and another one day before deletion as a reminder, and a final confirmation after the fact. I’ve used services before that do this. It’s done well and appreciated.

        This pseudo-deletion shadow account stuff is annoying.

        • @x00z
          link
          34 months ago

          None of these require your account to “exist”.

          It’s actually much more technical than theoretical. When you delete an account on a website, that is being kept for a little while longer, it merely has field in the database that gets updated. (often with a removal date as well for the automatic removal after x amount of days). This field needs to be checked everywhere the account is used. And account recovery is mostly a part where this is forgotten, or possibly not even wanted.

          And to claim this as fact, I just realized that the website I work on allows recovering of banned accounts. (Removed accounts are completely removed though because we don’t need to retain any data).

          This is the only valid reason. But even then this could be stated so that the user is fully aware.

          Keeping the records for a little while longer is actually implied to be known. It’s in their privacy policy, and is legal.

          Whether or not services should make this easier to know exactly what is happening I definitely agree. Personally I think post history without user identifiable data should also be removed, but this is even less common practice (and is why tools exist to delete all your reddit posts for example).

          • @[email protected]
            link
            fedilink
            2
            edit-2
            4 months ago

            This field needs to be checked everywhere the account is used.

            Usually something like this would be enforced once in a centralized location (in the data layer / domain model), rather than at every call site.

            for the automatic removal after x amount of days

            This gets tricky because in many jurisdictions, you need to ensure that you don’t just delete the user, but also any data associated with the user (data they created, data collected about them, data provided by third-parties, etc). The fan-out logic can get pretty complex :)

            • @x00z
              link
              24 months ago

              Usually something like this would be enforced once in a centralized location (in the data layer / domain model), rather than at every call site.

              True. Although not every endpoint is the same, nor is every website or service.

              This gets tricky because in many jurisdictions, you need to ensure that you don’t just delete the user, but also any data associated with the user

              GDPR specifically mentions user identifiable data. I don’t know about others.

  • nifty
    link
    614 months ago

    When you’re the reason error log messages are created…

  • CEbbinghaus
    link
    544 months ago

    Hoh man what a journey. And I love that this incredibly complex situation is the only reason that status would return. What a fun time debugging that would have been

    • @Omgarm
      link
      274 months ago

      The type of error where you have to give up trying to understand the user.

      • @[email protected]
        link
        fedilink
        374 months ago

        It’s quite simple actually: The user wanted to delete their account, but forgot their password so they requested a password reset. Before the password reset email was delivered, the user remembered their password and deleted their account. The password reset email is finally delivered and apparently some email clients open all the links in the background for whatever reason, so it wasn’t actually the user who clicked the password reset link.

        • @[email protected]
          link
          fedilink
          214 months ago

          apparently some email clients open all the links in the background for whatever reason

          What? Really??

          • TedvdB
            link
            fedilink
            354 months ago

            Yes, e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

            Thats why you never take actions on a GET request, but require a form with button for the user to do a POST.

            • TrumpetX
              link
              fedilink
              English
              114 months ago

              It can be worse, we had to add a captcha for those link scanners cause they’d submit the forms and invalidate tokens too:(

              • @jaybone
                link
                44 months ago

                Wow. That sounds terrible. Good to know.

            • @[email protected]
              link
              fedilink
              24 months ago

              e.g. outlook replaces links in mails so they can scan the site first. Also some virusscanners offer nail protection, checking the site that’s linked to first, before allowing the mail to end up in the user’s mail client.

              Proofpoint does this too, but AFAIK they all just change the link rather than go to it. The link is checked when the user actually clicks on it. Makes sense to do it on-demand because the contents of the link can change between when the email is received and when the user actually clicks it.

          • @[email protected]
            link
            fedilink
            19
            edit-2
            4 months ago

            Yep. Apparently outlook does this and afaik because some kind of link sniffing/scam detection/whatever, but it does it by changing the first characters of each query argument around.

            We spent amazingly long time figuring that one out. “Who the hell has gotten Microsoft service querying our app with malformed query args and why”

    • lazynooblet
      link
      fedilink
      English
      164 months ago

      Not really the only reason. It would be better to just return “token invalid”.

      It could occur by someone messing with the URL from the reset password email, like accidently adding an extra character before pressing enter

      Or a poor email client that wraps the URL and doesn’t send the complete one when clicked.

      Or someone attempting to find a weakness in the reset password system and sending junk as the token.

      • @[email protected]
        link
        fedilink
        English
        8
        edit-2
        4 months ago

        Or an email client where you double click the link text to select it and press copy, and somehow this puts the link plus a trailing space in the clipboard to be pasted into a browser.

    • @jaybone
      link
      04 months ago

      Yeah that error status code seems like an odd way to reflect such a scenario.

  • @tourist
    link
    474 months ago

    Trying this every time I need to delete an account

    • @Omgarm
      link
      284 months ago

      “Let’s see how good their testers are.”

  • TedvdB
    link
    fedilink
    314 months ago

    Now the dev doesn’t need to comment this part of the code, saves him time.

  • @iAvicenna
    link
    244 months ago

    I can tell by the error msg this wasn’t an error before and was the cause of much grief

  • katy ✨
    link
    fedilink
    104 months ago

    whats wild is that all the returned values were the same this is only for a log value that probably zero people check

    • @[email protected]
      link
      fedilink
      English
      154 months ago

      I believe rule of thumb is to track/log at least one level deeper than what you show to the end user, to ease with troubleshooting and debugging.

      Beyond that, logs are only useless until they aren’t, and then if you don’t have them you’re in for a universe of pain.

  • @fox2263
    link
    English
    84 months ago

    How’d they know it was a he

    • @[email protected]
      link
      fedilink
      354 months ago

      Maybe there’s a specific person who keeps doing this and they wrote this error specifically for him.

      • @fox2263
        link
        English
        114 months ago

        Come on Dave sort yourself out.

        You know this is a porn site then! 😂

      • @jaybone
        link
        34 months ago

        You bitwise OR into the higher end bits the user id, in which you have already encoded the user’s gender. (For which you have a util method to extract. )

    • @[email protected]
      link
      fedilink
      164 months ago

      Don’t be silly; it’s obvious that there are different error messages for each gender expression. Error logs need to be detailed and specific in order to be useful.

    • @acetanilide
      link
      English
      24 months ago

      They were talking about me. They got my pronouns wrong. It’s ok though, because they will have many more opportunities to get it right.

  • FuglyDuck
    link
    English
    44 months ago

    PEBKAC.

    definitely a case of the PEBKAC

  • @[email protected]
    link
    fedilink
    34 months ago

    Is that python? If it’s, thank you, finally learned how to format text in a way that can be read on the script and in the execution.

    • @Korne127
      link
      94 months ago

      It isn’t, there are curly braces. It’s TypeScript.

    • @[email protected]
      link
      fedilink
      84 months ago

      As the other comments have already said it’s not Python. Not sure what you mean with text formatting, do you mean that it’s multiple strings that are concatenated using +? You don’t need the + in Python, you can do

      some_function(
          "part one of really long string"
          " part two of really long string"
      )
      

      Which is identical to

      some_function("part one of really long string part two of really long string")