]> projects.mako.cc - selectricity-live/blobdiff - app/controllers/election_controller.rb
fix security issue
[selectricity-live] / app / controllers / election_controller.rb
index 94c203d104c902de9dd673a3713ad0c2e76a9fa7..58c5c47f1737ae300eaa31fc77152957903080fb 100644 (file)
@@ -2,27 +2,25 @@
 # Copyright (C) 2007, 2008 Benjamin Mako Hill <mako@atdot.cc>
 # Copyright (C) 2007 Massachusetts Institute of Technology
 #
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful, but
-# WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-# Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public
-# License along with this program.  If not, see
-# <http://www.gnu.org/licenses/>.
+# This program is free software. Please see the COPYING file for
+# details.
 
 class ElectionController < ApplicationController
   require_dependency "raw_voter_list"
   require_dependency "voter"
   require_dependency "vote"
   require_dependency "candidate"
+
+  helper :sparklines
   layout 'main'
 
+
+  before_filter :verify_owner,
+    :except => [:new, :general_information, :create_election]
+  before_filter :verify_not_active,
+    :except => [:new, :general_information, :create_election,
+                :show, :results, :details, :pref_tables]
+
   ## methods for displaying, creating,
   ## and manipulating election overview data
   ####################################################################
@@ -45,7 +43,15 @@ class ElectionController < ApplicationController
     @election.user = session[:user]
     @election.anonymous = 1
     @election.startdate = Time.now
-
+    @election.type = 'Election'
+    
+    holder = create_theme_hash
+    unless holder.values.all? {|v| v.has_value?("")}
+      token_generator = UniqueTokenGenerator.new( 16 )
+      @election.embed_custom_string = token_generator.token
+      add_theme(@election.embed_custom_string)
+    end
+    
     if @election.save
       flash[:notice] = 'Election was successfully created.'
       redirect_to :action => 'edit_candidates', :id => @election.id
@@ -54,35 +60,107 @@ class ElectionController < ApplicationController
     end
   end
   
-  # TODO add filter to verify that the person working on or looking at
-  # something is the owner
   def edit_general_information
+    @sidebar_content = render_to_string :partial => 'progress',
+                                        :locals => { :page => 'overview' }
     @election = Election.find(params[:id])
   end
   
   def update_general_information
     @election = Election.find(params[:id])
+    
+    holder = create_theme_hash
+    unless holder.values.all? {|v| v.has_value?("")}
+      unless @election.embed_custom_string
+        token_generator = UniqueTokenGenerator.new( 16 )
+        @election.embed_custom_string = token_generator.token
+      end
+      
+      add_theme(@election.embed_custom_string)
+    end
+    
     if @election.update_attributes(params[:election])
       flash[:notice] = 'Election was successfully updated.'
       redirect_to :action => 'show', :id => @election
     else
-      render :action => 'edit'
+      render :action => 'edit_general_information'
     end
   end
-
-
+  
+  #Takes care of uploading custom images 
+  #unnecessarily long, how can I compress?
+  def add_theme(prefix)
+    holder = create_theme_hash
+    unless params[:top_bar][:uploaded_data].to_s.empty?
+      previous = SkinPicture.find(:first,
+      :conditions => ["filename = ?", @election.embed_custom_string + "top_bar.png"])
+      if previous
+        previous.destroy
+      end
+      top_bar = SkinPicture.new(params[:top_bar])
+      top_bar.filename = prefix + "top_bar." + params[:top_bar][:uploaded_data].content_type[6..-2]
+      top_bar.save
+    end
+    unless params[:default_image][:uploaded_data].to_s.empty?
+      previous = SkinPicture.find(:first,
+      :conditions => ["filename = ?", @election.embed_custom_string + "default_image.png"])
+      if previous
+        previous.destroy
+      end
+      default_image = SkinPicture.new(params[:default_image])
+      default_image.filename = prefix + "default_image." + params[:default_image][:uploaded_data].content_type[6..-2]
+      default_image.save
+    end
+    unless params[:bg1][:uploaded_data].to_s.empty?
+      previous = SkinPicture.find(:first,
+      :conditions => ["filename = ?", @election.embed_custom_string + "bg1.png"])
+      if previous
+        previous.destroy
+      end
+      bg1 = SkinPicture.new(params[:bg1])  
+      bg1.filename = prefix + "bg1." + params[:bg1][:uploaded_data].content_type[6..-2]
+      bg1.save
+    end
+    unless params[:bg2][:uploaded_data].to_s.empty?
+      previous = SkinPicture.find(:first,
+      :conditions => ["filename = ?", @election.embed_custom_string + "bg2.png"])
+      if previous
+        previous.destroy
+      end
+      bg2 = SkinPicture.new(params[:bg2]) 
+      bg2.filename = prefix + "bg2." + params[:bg2][:uploaded_data].content_type[6..-2]
+      bg2.save
+    end
+    unless params[:bottom_bar][:uploaded_data].to_s.empty?
+      previous = SkinPicture.find(:first,
+      :conditions => ["filename = ?", @election.embed_custom_string + "bottom_bar.png"])
+      if previous
+        previous.destroy
+      end
+      bottom_bar = SkinPicture.new(params[:bottom_bar])
+      bottom_bar.filename = prefix + "bottom_bar." + params[:bottom_bar][:uploaded_data].content_type[6..-2]
+      bottom_bar.save
+    end
+        
+  end
+  
   def show
     @sidebar_content = render_to_string :partial => 'progress',
                                         :locals => { :page => 'review' }
 
     @election = Election.find(params[:id])
+    if @election.class  == QuickVote
+      redirect_to(:controller => 'quickvote', :action => 'index', :ident => @election.id)
+    end
+      
   end
 
   def start_election
     @election = Election.find(params[:id])
+    
     @election.voters.each do |voter|
       voter.vote = Vote.new
-      email_voter voter
+      email_voter voter unless voter.email.nil?
     end
 
     @election.activate!
@@ -95,7 +173,7 @@ class ElectionController < ApplicationController
   def edit_candidates
     @sidebar_content = render_to_string :partial => 'progress',
                                         :locals => { :page => 'candidates' }
-    @election = Election.find( params[:id] )
+    @election = Election.find(params[:id] )
   end
 
   def add_candidate
@@ -118,12 +196,12 @@ class ElectionController < ApplicationController
   end
   
   def delete_candidate
-    candidate = Candidate.find( params[:id] )
+    candidate = Candidate.find(params[:candidate] )
     candidate.destroy
   end
 
   def candidate_picture
-    candidate = Candidate.find( params[:id] )
+    candidate = Candidate.find(params[:candidate])
     send_data( candidate.picture.data,
                :filename => candidate.picture.filename,
               :type => candidate.picture.filetype,
@@ -141,15 +219,17 @@ class ElectionController < ApplicationController
     @sidebar_content = render_to_string :partial => 'progress',
                                         :locals => { :page => 'voters' }
 
-    @election = Election.find( params[:id] )
+    @election = Election.find(params[:id])
+
     if params.has_key?( :raw_voter_list )
       process_incoming_voters( params[:raw_voter_list] )
     end
+    @edit = true
     @raw_voter_list = RawVoterList.new
   end
   
   def delete_voter
-    voter = Voter.find( params[:id] )
+    voter = FullVoter.find(params[:voter])
     voter.destroy
   end
 
@@ -166,38 +246,27 @@ class ElectionController < ApplicationController
   ## methods for computing and printing results
   ####################################################################
   def results
-    @election = Election.find( params[:id] )
-    votes = []
+    @election = Election.find(params[:id])
 
-    @election.voters.each do |voter|
-      if voter.vote and voter.vote.confirmed?
-        votes << voter.vote.rankings.sort.collect {|vote| vote.candidate_id}
-      end
+    if @election.early_results? \
+       or @election.enddate < Time.now
+      
+      # render results
+      @sidebar_content = render_to_string(:partial => 'full_results_sidebar')
+      render :template => 'common/results'
+    else
+      redirect_to :action => 'index'
     end
-    
-    @voteobj = CloneproofSSDVote.new(votes)
-    @resultobj = @voteobj.result
-    @winners = @resultobj.winners
-    
-    @candidates_by_id = {}
-    @election.candidates.each {|cand| @candidates_by_id[cand.id] = cand}
   end
   
-  def detailed_results
-   
-    self.results
-
-    @voter_list = []
-    @vote_list = []
-    @election.voters. each do |voter|
-      if voter.vote and voter.vote.confirmed?
-        @voter_list << voter.email
-             @vote_list << voter.vote
-      end
-    end
+  def pref_tables
+    @election = Election.find(params[:id])
+    render :template => 'common/pref_tables_wrapper', :layout => 'basic'
+  end
 
-    @vote_list.sort!
-    @vote_list.sort! { |a,b| a.token <=> b.token }
+  def details
+    @election = Election.find(params[:id])
+    render :template => 'common/details'
   end
 
   ## private methods
@@ -233,5 +302,30 @@ class ElectionController < ApplicationController
         voter.save
       end
     end
+  
+    def create_theme_hash
+      target = Hash.new
+      params.each do |k,v|
+        target[k] = v if k=="top_bar" or k=="default_image" or k=="bg1" \
+                      or k=="bg2" or k=="bottom_bar"
+      end
+      return target
+    end
+
+    # verify that the person trying to edit the election is the owner
+    def verify_owner
+      election = Election.find(params[:id])
+      unless election.user == session[:user]
+        redirect_to :controller => 'front', :action => 'index' 
+      end
+    end
+
+    # verify that the election is not active
+    def verify_not_active
+      election = Election.find(params[:id])
+      unless election.active == 0
+        redirect_to :controller => 'front', :action => 'index' 
+      end
+    end
 
 end

Benjamin Mako Hill || Want to submit a patch?