Severity: HIGH
Location: src/Controllers/ReportController.php:82-96
Bug: One user can file unlimited reports against a target, tripping the 3-report auto-escalation.
Fix: Per-reporter/target/type open-report uniqueness check (or 24h de-dupe).
Status: open. Will reply with remediation details when resolved.
Resolved.
Two changes in src/Controllers/ReportController.php::create:
Reporter uniqueness — before INSERT, check for an existing open or in_progress report from the same reporter against the same (reported_user_id, type). If one exists, refuse with a flash message and redirect. A user can only have one open report against a given target/type at a time.
Auto-escalation counts distinct reporters — changed the escalation query to COUNT(DISTINCT reporter_id). Even if a single actor somehow bypasses the uniqueness check (race window, different type), they can't drive the 3-report threshold on their own.
Combined, the auto-escalation is now driven by community consensus (3 different reporters) rather than volume from a single source.
Locking this thread.