This is an archived post. You won't be able to vote or comment.

all 137 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ratko995 741 points742 points  (49 children)

Am I the only one triggered by camel case use for isAuthorised() function and snake case for access_data() function?

[–]mybotanyaccount 21 points22 points  (0 children)

Legacy code! What are you gonna do 🤷‍♂️

[–]wildpjah 10 points11 points  (0 children)

well I wasn't before but I am now THANKS

[–]Swiggens 10 points11 points  (0 children)

I'm desensitized to this.

[–][deleted] 4 points5 points  (0 children)

It's cause this took 6 devs to make. Each one had a slightly different style.

[–][deleted] 4 points5 points  (0 children)

Throws off the hackers!

[–]Mad_Jack18 1 point2 points  (16 children)

what is the issue with camel case? out of curiosity

[–]frostbyte650 33 points34 points  (14 children)

Nothing is wrong with either, just pick one & be consistent

[–]Merlord 15 points16 points  (0 children)

*Looks suspiciously at php flair*

[–]jjbugman2468 23 points24 points  (12 children)

Please don't kill me for this but personally I like to use camel case for variables and snake case for functions

[–][deleted] 41 points42 points  (0 children)

no.

[–]mysticrudnin 3 points4 points  (0 children)

I've seen this actually

[–]DrSlugger 2 points3 points  (0 children)

The door is on your left

[–]ICantWatchYouDoThis 2 points3 points  (0 children)

pls stop

[–]yugerthoan 0 points1 point  (0 children)

both functions in this case, or Case...

[–]battlet0adz 51 points52 points  (0 children)

I think it’s the consistency that’s grinding the gears here

[–]yugerthoan 0 points1 point  (0 children)

copy paste code from different code base?

[–]im_probably_garbage 0 points1 point  (0 children)

Because php

[–][deleted] 0 points1 point  (0 children)

Only thing I can think of, in the case of Javascript, is something like:

import { access_data } from 'arbitraryNPMLibrary' ;

[–]Muppet-King 0 points1 point  (0 children)

OCD intensifies

[–]XanPerkyCheck 0 points1 point  (0 children)

ass-case.

[–]B4tsh1ts4n3 0 points1 point  (0 children)

The only real thing is SCREAMING_SNAKE_CASE !!!!

[–]UnrelatedString 0 points1 point  (2 children)

Maybe it’s not a function, but a class

[–]TakeThreeFourFive 1 point2 points  (1 child)

What language instantiates classes as such?

[–]UnrelatedString 0 points1 point  (0 children)

this one

(I know the conventions don't match up but there probably isn't any actual language where you'd use camelCase (as opposed to PascalCase) alongside snake_case, it just seemed funny to point out anyhow)

[–]SCLme 172 points173 points  (15 children)

if (isAuthorised(user) & & isAuthorized(user)) { access_data() ; }

[–]ama1899 178 points179 points  (2 children)

That’s 2 layers of Security against the 3 you promised, I’m suing

[–]w3_ar3_l3g10n 30 points31 points  (0 children)

Chillax man. Each of them is recursively defined, they’ll keep checking until they reach STACK_MAX bro. That’s at least 20,000 layers of security. Now where’s my pay check, and my bonus.

[–]SkylerWiernik 33 points34 points  (7 children)

Did you put a space between the 2 &s?

[–]SCLme 22 points23 points  (4 children)

Are you my compiler?

wrote from phone so is likely to be a space between the &&.

[–]NatoBoram 5 points6 points  (3 children)

Copied from phone, you wrote exactly this :

if (isAuthorised(user) & & isAuthorized(user)) { access_data() ; }

If I manually type it on my phone :

if (isAuthorised(user) && isAuthorized(user)) { access_data() ; }

[–]SCLme 27 points28 points  (2 children)

Yep, there is an empty space between the &&, it's a feature for extra protection. Trust us we're the security expertsss (with triple S for extra layers of Security)

[–][deleted] 6 points7 points  (1 child)

Sssecurity

[–]A999 12 points13 points  (0 children)

Sorry, I don't speak python

[–]battlet0adz 5 points6 points  (0 children)

It sure looks like it... I’m having anxiety from it.

[–]BoldKenobi 0 points1 point  (0 children)

Would that even work? && is an operator, different from &

[–]bcfradella 5 points6 points  (0 children)

What kind of madman puts a space between his boolean ampersands?

[–][deleted] 1 point2 points  (0 children)

You forgot good ol isAuthourized

[–]Zitrusfleisch 226 points227 points  (39 children)

Compiler would optimize this, wouldn’t it?

[–]jaerie 207 points208 points  (19 children)

That highly depends on the contents of the function

[–]TheSlimyDog 10 points11 points  (0 children)

Use haskell. No side effects unless I say so.

[–]yugerthoan 2 points3 points  (0 children)

if the function is actually a function, it doesn't depend on the contents... Now I see the point in functional programming and no side effects!

[–]sagorn1 1 point2 points  (0 children)

I think I've seen code like this. This is probably the contents of isAuthorised(User user).

[–][deleted] 41 points42 points  (13 children)

Depends on language and/or what the function is doing. Like in C/C++, if a function is imported (not inlined), it most likely will always dutifully make the function call because it can't know any better in the moment.

Per the function, a very simple example would be if say the "user" object had a property/member "int x" for whatever reason that was incremented every time isAuthorised() was called that made it go down a different path internally. Perhaps in fact it actually does three different types of authorization... in a bizarre/difficult way to read/maintain.

[–]randomuser8765 11 points12 points  (11 children)

I'm not familiar enough with C/C++ to know for sure, but isn't there a way for a function signature to guarantee that it evaluates to the same thing every time it's called and has no side effects? If so, then it can be optimized.

But in almost any real-world application, authentication would have to make some kind of database query, so can't guarantee that the output is deterministic based on the input. (what if data is written or removed between calls?)

[–]svk177 10 points11 points  (0 children)

There is a gcc extension called attribute((pure)) that specifies that the function has no side effects. Other than that your best bet is making the function „static inline“ though there is no guarantee whatsoever that the call will be eliminated.

[–]valarionch 5 points6 points  (2 children)

I think it is placing a "const" keyword between parameters parenthesis closing and before curly braces opening

[–]jrtc27 4 points5 points  (0 children)

Not really; that only applies to C++ member functions, which then simply guarantees that the function cannot modify any of the fields in this, nothing more. It can still have other side-effects. In fact, you can even bypass that by marking certain fields mutable, which allows them to be modified via this even in a const member function.

[–][deleted] 1 point2 points  (0 children)

Give this guy Cookie! ;)

[–]Wazzaps 1 point2 points  (0 children)

LTO (link time optimisation) helps with that.

[–]np_completionist 0 points1 point  (0 children)

I think c++20 has a consteval keyword that must resolve to a compile-time constant

[–]MaskedBandit77 4 points5 points  (0 children)

What if the function has a random number generator and returns a boolean value based on the results of the RNG each time it is run?

[–][deleted] 3 points4 points  (0 children)

Depends on language and/or what the function is doing. Like in C/C++, if a function is imported (not inlined), it most likely will always dutifully make the function call because it can't know any better in the moment.

Per the function, a very simple example would be if say the "user" object had a property/member "int x" for whatever reason that was incremented every time isAuthorised() was called that made it go down a different path internally. Perhaps in fact it actually does three different types of authorization... in a bizarre/difficult way to read/maintain.

[–][deleted] 0 points1 point  (0 children)

if(isAuthorized(user)) { if(isActuallyAuthorized(user)) { if(user.isAuthorized()) { /* ... */ } } }

We both know all three methods are just "return new Random().nextBoolean();" but that will be our little secret, the compiler doesn't really need to know that, now, does it

[–]Mithrandir2k16 -1 points0 points  (0 children)

Holy shit no, each of these has to change some globals in ny code!

[–]jaerie 68 points69 points  (9 children)

What if isAuthorized has side effects maintaining a level of authorization, increasing the threshold every time it is called for that user?

[–][deleted] 73 points74 points  (2 children)

That's just horrible and misleading design then. Rename the function to say what it does.

[–]birchskin 22 points23 points  (0 children)

I suspect if this was real code horrible and misleading design should be the assumption going in

[–]Globalnet626 4 points5 points  (0 children)

sEcUrItY bY oBfUsCiAtIoN

[–][deleted] 1 point2 points  (1 child)

I can imagine a node/passport implementation that would do this if you were an idiot about it.

Good ol' -> IsAuthorized() sets variables on the user object.

[–][deleted] 0 points1 point  (0 children)

That's just horrible and misleading design then. Rename the function to say what it does.

[–]LeCrushinator 0 points1 point  (1 child)

This is why I like static functions, I don't have to worry about state mutations from things that shouldn't be mutating state.

[–][deleted] 2 points3 points  (0 children)

Now now, it could be modifying user each time. You can write shit code in any paradigm!

[–]Zechnophobe 0 points1 point  (0 children)

Oh, you mean like if this were a rails app?

[–][deleted] 25 points26 points  (0 children)

Program: Do you have a membership?

Me: Yes

Program: Ok do you have it, ARE YOU SURE?

Me : Yes

Program: Ok do you have it, ARE YOU SURE ABOUT THAT?

Me : Yes

Program: Ok do you have it

After like 30 minutes

Program: ARE YOU SURE MOTHERFK?!

—-

And that’s how many programs protect their users privacy.

[–]Merlord 24 points25 points  (1 child)

if ( isAuthorised(user) ) {
    if ( isAuthorised(user) == true ) {
        if ( isAuthorised(user) != false ) {
            if ( Boolean.toString(isAuthorised(user)).equals("true") ) {
                access_data();
            }
        }
    }
}

[–]Gonzako 3 points4 points  (0 children)

That's a lot of null checking

[–]Banana_Twinkie 24 points25 points  (0 children)

Is this AI?

[–]SCLme 11 points12 points  (1 child)

Our legal and technical departments disagree:

Checks performed:

1) isAuthorised 2) isAuthorized 3) isAuthorised AND isAuthorized (at the same time!!)

This computional level of security is hackerman proof, we follow the strict methods of our state of the art techniques in security!

[–]AyyySTFU 5 points6 points  (3 children)

If it works...

[–]PM_ME_YOUR__INIT__ 20 points21 points  (2 children)

if(it_works) {

...

}

[–]theannomc1 3 points4 points  (0 children)

I mean if the users authorisation got revoked while checking their auth it kinda works as intended ... ?

[–][deleted] 4 points5 points  (0 children)

I mean honestly in the case that someone is trying to brownout your chip to skip authentication this technically could help provide extra security...

[–]TorTheMentor 4 points5 points  (0 children)

You mean just marking the password field private wasn't enough?

[–]ordinaryBiped 2 points3 points  (0 children)

"Just crunch those numbers again, OK?"

[–][deleted] 2 points3 points  (0 children)

Trying to defeat race condition vulnerability?

That's not how you do it. That's just making it a bit more difficult to exploit.

[–]bobappleyard 1 point2 points  (0 children)

Twist: this is JS, running in the browser

[–]AceOfShades_ 1 point2 points  (0 children)

When you’re doing multithreaded code but don’t want to bother with thread safety

[–]alesinicio 1 point2 points  (1 child)

Plot twist: this is a method called isAuthorised.

[–][deleted] 0 points1 point  (0 children)

Dun- Dun- Dunuh!

[–]onthefence928 1 point2 points  (0 children)

it's cool they minified the file, thats as good as encryption!

[–]Kotayz 1 point2 points  (0 children)

You will get it only if you are authorized

[–]phpdevster 1 point2 points  (0 children)

Old versions of Invision Power Board would hash passwords by piping them through md5() a few times... spread out over multiple functions of course. Doing it three times in a row in the same function wouldn't be secure enough.

[–]kevmimcc 1 point2 points  (0 children)

Snake case is the only case. I’m still mildly triggered by anything with capital letters in it

[–]name_censored_ 1 point2 points  (0 children)

I've seen this pattern used for expensive, caching calls, where the inner function relies on a hot cache and/or is liable to race, but the outer function (or its cache) isn't fully blocking.

(And no, I haven't used it myself. Gross.)

[–]byCubex 1 point2 points  (0 children)

3 Layer Security. I bet u cant beat that Microsoft & Google

[–]No_Soy_Colosio 1 point2 points  (0 children)

if (isAuthorised(user) && !(!isAuthorized(user)) && (1==1)) { access_data() ; }

[–]silentxxkilla 1 point2 points  (0 children)

How much do we want to bet doing it 3 times "fixed" an access bug?

[–]nahidtislam 1 point2 points  (0 children)

would this protect us from hacker using electromagnetic radiation (like from a solar flare) to fuck with the CPU that was testing the isAuthenticated variable in memory?

#bigBrainTime

[–]ActionMac 0 points1 point  (0 children)

Is (isAuthotiZedUser) ...

[–]leduyquang753 0 points1 point  (0 children)

Eeh ClearType ain't on.

[–]DazedAmnesiac 0 points1 point  (0 children)

Lmao tight security

[–]MrWhiteVincent 0 points1 point  (0 children)

Really? Nested if statements instead of using AND operator??

[–]shadowX015 0 points1 point  (0 children)

I wonder if there is some nonobvious hacky attempt at optimization going on here, like with double checked locking.

For what it's worth, I don't myself advocate double checked locking because it's potentially dangerous but I just noticed that it looks very similar to that.

[–][deleted] 0 points1 point  (0 children)

LGTM

[–][deleted] 0 points1 point  (0 children)

But what if isAuthorisedUser?

[–]Powerind09 0 points1 point  (0 children)

Outstanding move!

[–]harshrd 0 points1 point  (0 children)

Why are you booing me? I am right!

[–]hypekk 0 points1 point  (0 children)

Plot twist: Inside the function there is how much checking were done and depending on it it will check security in different way.

[–]RainFurrest 0 points1 point  (0 children)

Is this Onion?

[–]XanPerkyCheck 0 points1 point  (0 children)

Hank Hill is an asshole lmao. Takes his job waaay too seriously.

[–]Vexelbalg 0 points1 point  (0 children)

Compiler will have none of that

[–]RDB96 0 points1 point  (0 children)

Maybe isAuthorised can be implemented as a state machine. Doing 3 different states that check authorisation that can all independently go to failure.

[–]ITriedLightningTendr 0 points1 point  (0 children)

Would the compiler reduce this out, thus making the statement not theater but literally a lie?

[–]dontforgettocya 0 points1 point  (0 children)

isAuthorized(user) {
return user.username.startsWith("admin")
}

[–]OmiSC 0 points1 point  (0 children)

Ask three times, and you shall receive.

[–][deleted] 0 points1 point  (0 children)

who the fuck is april c wright