A Buncha Things from A Buncha Experimenting #1

New issue

Open

opened 2026-02-23 18:27:59 -05:00 by Heathercat123 · 0 comments

Heathercat123 commented

2026-02-23 18:27:59 -05:00

Note that most of these are simply oddities and not rules per say.

Registration

As you probably already know, the 2.0 registration modal is still there and can be accessed by using the login modal which can be opened either by trying to comment while logged out or trying to sign in on a mobile device (tested with an iPhone 4s).
Similar deal with the 2.0 student promotion modal:

See code

$.getScript('/scratchr2/static/js/apps/registration/student.js');  
$('#registration').append($('\<div id="student-registration-data"/\>'));  
Scratch.Registration.studentmodal =  new Scratch.Registration.StudentRegistrationView({el: '#student-registration-data'});  
$('#registration').modal('show');

The teacher one, though, just redirects to the login page, which redirects to the home page when already logged in:

See code

$.getScript('/scratchr2/static/js/apps/registration/educator.js');
$('#registration').append($('<div id="#educator-registration-data"/>'));
Scratch.Registration.educatormodal =  new Scratch.Registration.educatorRegistrationView({el: '#educator-registration-data'});
$('#registration').modal('show');

The registration modal that was embedded in early WWW versions also still exists.
And so does the code to use it (set useScratch3Registration to false in /src/redux/navigation.js and remove register-redirect from routes.json).
IIRC I've read somewhere in the WWW issues or PRs or whatever that the new 3.0 registration was supposed to be a modal on the entirety of WWW, not just the editor, and that the /join page would have been only for ScratchR2. I can't seem to find anything stating this other than screenshots showing it off.

Bans

Banned users can view the ScratchR2 For Parents and About Scratch using /about%2F and /parents%2F, but not their WWW equivalent or the For Educators page.
Banned users can view every ScratchR2 page under /help/, even 404s.
There used to be a special WWW version of the ban response page specifically for bad usernames. It was removed a month after, so it probably never made it to production.
Nevertheless, its translatable strings are still in Scratch-WWW and it's still marked as viewable by banned users in WWW (not in ScratchR2 though).

Misc

The Membership settings use the lamest 403 ever (so a blank page).
The "Follow discussion" button appears even when logged out. When clicked, it will try to POST an URL just to be redirected to the login page. Since the javascript receives a 200, to the user, it will look like they have just followed a discussion somehow.
There are four types of alerts: The general one, the project one, the forums' and the ban response's ugly one.
Most of the code for rendering the Scratch 2 scratcher promotion modal is still there except for the modal itself: Scratch.UserProfile.ScratcherPromotion.prototype.showModal({preventDefault : function(){}});
Most of the ScratchR2 pages can be seen by replacing the last slash with %2F: https://scratch.mit.edu/about%2F.
The Contact Us page has special code for handling iOS < 11 devices where it will display a form directly on the page instead of having a pop-up, though the form has changed enough so that it looks completely broken. Luckily though, iOS 10 Safari is simply too old to actually render Scratch-WWW.
When you follow someone or a studio, the server replies with a json containing information on your own user account. More specifically, it's the same as /users/all/, but inside an array.
Nobody can stop us from seeing unshared projects.
ScratchR2 is perfect and has no bugs.
The /projects/all page internally used by My Stuff doesn't have any check to see if the page number is a valid integer. Passing in a string will cause a 500.
The Scratch 2.0 Beta shared projects and favorite projects pages still exist. There's also a loved projects page (note that both are the same for me only because I always love AND fave projects).
Scratch-WWW is hosted on Amazon S3. Same thing for the scratch.ly version.
filter.scratch.ly and assets.scratch.ly aren't blocked.
cdn.scratch.mit.edu/assets is... uh... a ScratchR2 404.
This cursed ahh url (https://cdn.scratch.mit.edu/scratchr2/static..%2F..%2F../scratchr2/static/images/cat-b.png) works for some reason, isn't that nice? (might be generic nginx behavior)
The Scratch 1.4 to 2.0 database migration took about a day and a half

Django version

The exposed pages that come directly from Django are jsi18n, the CSRF error view and the rare debug errors (only exposed during website updates afaik).
The first of these, based on an experiment I did back in (or maybe early 2025), perfectly matches the one from Django 1.6 up to Django 1.8.
The version used previously, Django 1.4 LTS (or at least that's the only one that works with stock S2Forums iirc), stopped getting support in 2015, a year before the last S2Forums commit.
As such, we can assume that the Scratch Team often updates their Django after it's out of support and that they only use LTS versions.
ScratchR2 slowly started to get replaced by Scratch-WWW and the REST API in 2015.
So, when Django 1.8 stopped getting support in 2018, they might have left the poor ScratchR2 behind...
But who knows?

Note that most of these are simply oddities and not rules per say. # Registration - As you probably already know, the 2.0 registration modal is still there and can be accessed by using the login modal which can be opened either by trying to comment while logged out or trying to sign in on a mobile device (tested with an iPhone 4s). - Similar deal with the [2.0 student promotion modal](https://scratch.mit.edu/classes/modal-registration/): <details> <summary>See code</summary> ``` $.getScript('/scratchr2/static/js/apps/registration/student.js'); $('#registration').append($('\<div id="student-registration-data"/\>')); Scratch.Registration.studentmodal = new Scratch.Registration.StudentRegistrationView({el: '#student-registration-data'}); $('#registration').modal('show'); ``` </details> - The teacher one, though, just [redirects to the login page, which redirects to the home page when already logged in](https://scratch.mit.edu/classes/educator-modal-registration/): <details> <summary>See code</summary> ``` $.getScript('/scratchr2/static/js/apps/registration/educator.js'); $('#registration').append($('<div id="#educator-registration-data"/>')); Scratch.Registration.educatormodal = new Scratch.Registration.educatorRegistrationView({el: '#educator-registration-data'}); $('#registration').modal('show'); ``` </details> - The registration modal that was embedded in early WWW versions [also still exists](https://scratch.mit.edu/accounts/standalone-registration%2F). - And so does the code to use it (set `useScratch3Registration` to false in `/src/redux/navigation.js` and remove `register-redirect` from `routes.json`). - IIRC I've read somewhere in the WWW issues or PRs or whatever that the new 3.0 registration was supposed to be a modal on the entirety of WWW, not just the editor, and that the `/join` page would have been only for ScratchR2. I can't seem to find anything stating this other than [screenshots](https://user-images.githubusercontent.com/3431616/60993357-4eebd180-a31c-11e9-92af-1e17234ea49c.png) showing it off. # Bans - Banned users can view the ScratchR2 For Parents and About Scratch using [/about%2F](https://scratch.mit.edu/about%2F) and [/parents%2F](https://scratch.mit.edu/parents%2F), but not their WWW equivalent or the For Educators page. - Banned users can view every ScratchR2 page under `/help/`, even 404s. - There used to be a special WWW version of the [ban response page specifically for bad usernames](https://github.com/scratchfoundation/scratch-www/pull/7656). It was [removed a month after](https://github.com/scratchfoundation/scratch-www/pull/7770), so it probably never made it to production. - Nevertheless, its translatable strings are [still in Scratch-WWW](https://github.com/scratchfoundation/scratch-www/blob/af9909642ccc872159c386b719577efc8142edca/src/l10n.json#L497) and it's [still marked as viewable by banned users in WWW](https://github.com/scratchfoundation/scratch-www/blob/af9909642ccc872159c386b719577efc8142edca/src/redux/session.js#L19) (not in ScratchR2 though). # Misc - The Membership settings use [the lamest 403 ever](https://scratch.mit.edu/accounts/membership_settings/) (so a blank page). - The "Follow discussion" button appears even when logged out. When clicked, it will try to POST an URL just to be redirected to the login page. Since the javascript receives a 200, to the user, it will look like they have just followed a discussion somehow. - There are four types of alerts: The general one, the project one, the forums' and the ban response's ugly one. - Most of the code for rendering the Scratch 2 scratcher promotion modal is still there except for the modal itself: `Scratch.UserProfile.ScratcherPromotion.prototype.showModal({preventDefault : function(){}});` - Most of the ScratchR2 pages can be seen by replacing the last slash with `%2F`: <https://scratch.mit.edu/about%2F>. - The Contact Us page has special code for handling iOS < 11 devices where it will display a form directly on the page instead of having a pop-up, though the form has changed enough so that it looks completely broken. Luckily though, iOS 10 Safari is simply too old to actually render Scratch-WWW. - When you follow someone or a studio, the server replies with a json containing information on your own user account. More specifically, it's the same as [/users/all/<username>](https://scratch.mit.edu/site-api/users/all/defnotyarrow/), but inside an array. - [Nobody can stop us from seeing unshared projects](https://scratch-projects.scratch.org/1). - ScratchR2 is perfect and [has no bugs](https://scratch.mit.edu/users/5nk/). - The [/projects/all](https://scratch.mit.edu/site-api/projects/all/) page internally used by My Stuff doesn't have any check to see if the page number is a valid integer. Passing in a string will cause a [500](https://scratch.mit.edu/site-api/projects/all/?page=meow). - The Scratch 2.0 Beta [shared projects](https://scratch.mit.edu/projects/all/DefNotYarrow/public/) and [favorite projects](https://scratch.mit.edu/projects/all/DefNotYarrow/favorites/) pages still exist. There's also a [loved projects](https://scratch.mit.edu/projects/all/DefNotYarrow/loves/) page (note that both are the same for me only because I always love AND fave projects). - Scratch-WWW is hosted on [Amazon S3](http://scratch-www-production.s3.dualstack.us-east-1.amazonaws.com/splash.html). Same thing for the [scratch.ly](http://scratch-www-staging.s3.dualstack.us-east-1.amazonaws.com/splash.html) version. - [filter.scratch.ly](https://filter.scratch.ly/) and [assets.scratch.ly](https://assets.scratch.ly/176c4fb4df80df899ca28a48bd1f0edf.svg) aren't blocked. - [cdn.scratch.mit.edu/assets](https://cdn.scratch.mit.edu/static) is... uh... a ScratchR2 404. - This cursed ahh url (<https://cdn.scratch.mit.edu/scratchr2/static..%2F..%2F../scratchr2/static/images/cat-b.png>) works for some reason, isn't that nice? (might be generic nginx behavior) - The Scratch 1.4 to 2.0 database migration took [about a day and a half](https://scratch.mit.edu/discuss/post/24563/) # Django version - The exposed pages that come directly from Django are [jsi18n](https://scratch.mit.edu/jsi18n/), the CSRF error view and the rare debug errors (only exposed during website updates afaik). - The first of these, based on an experiment I did back in (or maybe early 2025), perfectly matches the one from Django 1.6 up to Django 1.8. - The version used previously, Django 1.4 LTS (or at least that's the only one that works with stock S2Forums iirc), stopped getting support in 2015, a year before the last S2Forums commit. - As such, we can assume that the Scratch Team often updates their Django after it's out of support and that they only use LTS versions. - ScratchR2 slowly started to get replaced by Scratch-WWW and the REST API in 2015. - So, when Django 1.8 stopped getting support in 2018, they might have left the poor ScratchR2 behind... - But who knows?

Heathercat123 changed title from ~~A Buncha Things from A Buncha Reversing~~ to A Buncha Things from A Buncha Experimenting

2026-02-23 18:28:16 -05:00

No labels

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

chipmunkmc/scratch-eleusis#1

No description provided.

Rows
Columns