fix security issue

[selectricity] / app / controllers / quickvote_controller.rb

# Selectricity: Voting Machinery for the Masses
# Copyright (C) 2007, 2008 Benjamin Mako Hill <mako@atdot.cc>
# Copyright (C) 2007 Massachusetts Institute of Technology
#
# This program is free software. Please see the COPYING file for
# details.

class QuickvoteController < ApplicationController
  helper :sparklines
  layout 'main'
  require_dependency "quick_voter"
  require_dependency "quick_vote"
  require_dependency "vote"
  require_dependency "election"
  
  #############################################################
  # the following methods pertain to creating quickvotes
  #############################################################

  def create
    if params[:quickvote]
      @quickvote = QuickVote.new(params[:quickvote])

      # check to see if any of the advanced options have been changed
      new_qv = QuickVote.new
      if @quickvote.election_method != new_qv.election_method \
        or @quickvote.enddate.day != new_qv.enddate.day \
        or @quickvote.viewable != new_qv.viewable \
        or @quickvote.notices != new_qv.notices
        show_advanced = true
      end
    end

    show_advanced ||= false

    if params[:quickvote]

      # store the candidate grabbed through ajax and stored in flash
      @quickvote.candidate_names = flash[:candidate_names]
      @quickvote.description=@quickvote.description

      #record who created the quickvote so that person can monitor it easily
      @quickvote.quickuser = session.session_id

      #Give registered users additional QuickVote functionality 
      @quickvote.user_id = session[:user][:id] if session[:user]
      @quickvote.create_candidates

      # try to save, if it fails, show the page again (the flash should
      # still be intact
      if @quickvote.save
        @quickvote = @quickvote.reload
        # blank sidebar and show the success page
        @sidebar_content = ''
        render :action => 'success'
      else
        # render the sidebar
        @sidebar_content = render_to_string(:partial => 'create_sidebar',
          :locals => {:show_advanced => show_advanced})
        flash.keep(:candidate_names)
      end 

    else
      # if we don't have a quickvote param, it means that the person
      # here has not been hitting this page and we can clear any
      # candidate_names list in the flash
      flash.delete(:candidate_names) if flash.has_key?(:candidate_names)
      @quickvote = QuickVote.new
      @sidebar_content = render_to_string(:partial => 'create_sidebar',
        :locals => {:show_advanced => show_advanced})
    end

  end

  def add_candidate
    candidate_name = params[:ajax][:newcandidate]
    unless candidate_name.strip.empty?
      if flash.has_key?(:candidate_names) \
        and flash[:candidate_names].instance_of?(Array) 
        unless flash[:candidate_names].index(candidate_name)
          flash[:candidate_names] << candidate_name
        end
     else
       flash[:candidate_names] = [ candidate_name ]
      end
    end
    flash.keep(:candidate_names)
    render :partial => 'candidate_list'
  end
 
  #############################################################
  # the following methods pertain to *voting* in the quickvotes
  #############################################################

  def index
    @election = QuickVote.ident_to_quickvote(params[:ident])
    # if the person has specified an election, we show them the voting
    # page. otherwise, we redirect back to main the page
    if @election

      # if the election is over, redirect to the the results page
      unless @election.active?
        redirect_to quickaction_url(:ident => params[:ident],
                                    :action => 'results')
      end

      # look to see that the voter has been created and has voted in
      # this election, and has confirmed their vote
      @voter = QuickVoter.find(:all,
        :conditions => ["session_id = ? and election_id = ?",
                        session.session_id, @election.id])[0]

      # if the voter has not voted we destroy them
      if @voter and not @voter.voted?
        @voter.destroy
        @voter = nil
      end

      # if the voter does not exist or has has been destroyed, lets
      # create a new one
      unless @voter
        # create a new voter and populate it
        @voter = QuickVoter.new
        @voter.election = @election
        @voter.session_id = session.session_id
              
        # create new vote and make it the defaulted sorted list
        @voter.vote = Vote.new
              @voter.save
              @voter.vote.set_defaults!
              @voter.reload
      end
    else
      redirect_to :controller => 'front'
    end
  end

  def confirm
    
    # we need the election to verify that we have the right voter
    election = QuickVote.ident_to_quickvote(params[:ident])

    # find out who the voter is for this election
    @voter = QuickVoter.find(:all,
      :conditions => ["session_id = ? and election_id = ?", 
                      session.session_id, election.id])[0]
   
    if not @voter
      # we have not seen this  voter before. something is wrong, try
      # again
      redirect_to quickvote_url( :ident => params[:ident] ) 
      
    elsif @voter.voted? 
      # this person has already voted, we try again
      flash[:notice] = "You have already voted!"
      redirect_to quickvote_url( :ident => params[:ident] )
      
    else
      
      # record the ip address for posterity
      @voter.ipaddress = request.env["HTTP_X_FORWARDED_FOR"]
      @voter.save
      
      # toggle the confirmation bit      
      if @voter.vote.confirm!
        @voter.reload
        render :action => 'thanks'
      else
        redirect_to :action => 'index'
      end
    end
  end
 
  def change
    voter = QuickVoter.find(:all, :conditions => ["session_id = ?",
                                                  session.session_id])[0]
    voter.destroy
    redirect_to quickvote_url( :ident => params[:ident] )
  end
                
  def list_voters
    @map = GMap.new("map_div_id") 
    @map.control_init(:large_map => true, :map_type => true) 
    center = nil
    @election=QuickVote.ident_to_quickvote(params[:id])
    @election.voters.each do |voter|
      next unless voter.ipaddress

      location=nil
      if Cache and location=Cache.get("GEO:#{voter.ipaddress}")
      elsif Cache
        location = GeoKit::Geocoders::IpGeocoder.geocode(voter.ipaddress)
        Cache.set "GEO:#{voter.ipaddress}", location
      else
        location = GeoKit::Geocoders::IpGeocoder.geocode(voter.ipaddress)
      end
      next unless location.lng and location.lat

      unless center
        center = [location.lat, location.lng]
        @map.center_zoom_init(center, 4)
      end

      marker = GMarker.new([location.lat,location.lng],
                           :title => "Voter",
                           :info_window => (voter.ipaddress or "unknown"))
      @map.overlay_init(marker)
    end
  end

  ###############################################################
  # the following method pertains to displaying the results of a
  # quickvote
  ###############################################################

  def results
    unless @election = QuickVote.ident_to_quickvote(params[:ident])
      flash[:notice] = "Cannot find quickvote #{params[:ident]}."
      redirect_to :controller => 'front'
      return
    end
    if @election.viewable == 0 && @election.active == 1
      render :action => 'not_viewable' and return
    end
    @results = @election.results
    @candidates = {}
    @election.candidates.each {|c| @candidates[c.id] = c}
    @names = @election.names_by_id
    @sidebar_content = render_to_string :partial => 'results_sidebar'
  end
  
  def my_quickvotes
    @myqvs = QuickVote.find(:all, :conditions => ["quickuser = ?",
                                session.session_id])
  end
  
end