fix security issue

[selectricity] / app / views / election / show.rhtml

<div id="title-header">
  <span class="header">Election Overview</span>
  <span class="subheader"></span>
</div>
<% if @election.enddate < Time.now %>
<div id="status">Election is finished. <%= link_to "View results",
        :controller => 'voter', :action => 'index', 
        :election_id => @election.id %>.</div>

<% elsif (@election.active? && @election.early_results? ) %>
  <div id="status">You have decided that the results
        should be viewable while the election is in progress.
        <%if @election.voters.select {|v| v.vote.confirmed?}.empty? %>
        However, no one has voted yet.
        <% else %>
        <%= link_to "View results", :controller => 'election', :action => 'results', 
                :id => @election.id %>.
    <% end %>
  </div>
<% elsif @election.active? %>
  <div id="status">Vote is in currently in progress. Return to
        this page for results on <%= @election.enddate %>.</div>
  
<% else %>
  <p style="text-align: right;">
    <%= link_to "Edit General Information",
                :action => 'edit_general_information', :id => @election.id %>
  </p>
<% end %>

<p><strong>Summary</strong></p>

<blockquote>
<%= h(@election.name) %>
</blockquote>

<p><strong>Description</strong></p>

<blockquote>
<%= h(@election.description) %>
</blockquote>

<p><strong>Additional Information</strong></p>

<ul> <li>Elections will end at <strong><%= @election.enddate
%></strong>.</li> <li>Elections results <strong><% if
@election.early_results %>will be<% else %>will not be<% end
%></strong> visible while election is in progress.</li>

<% if @election.embeddable %>
<li>Elections <strong>will be</strong> embeddable.</li>
<% end %>

<% if @election.kiosk %>
<li>Selectricity's kiosk mode <strong>will be</strong> available.</li>
<% end %>

<% if @election.verifiable%>
<li>Voters <strong>will be</strong> given tokens to verify their votes.</li>
<% else %>
<li>Elections <strong>will not be</strong> voter verifiable.</li>
<% end %>

</ul>

<% if @election.active? and not @election.authenticated? %>
<p><strong>Link to election:</strong></p>
<ul>
<li><%= (link_to ("Vote in election", 
          :controller => 'voter', :action => 'index', :election_id => @election.id)).to_s %>
     (<%= votepassword_url(:urlpassword => "open." + @election.id.to_s) %>)</li>

<% if @election.kiosk %>
<li><%= link_to("Kiosk mode",
           kiosk_ready_url(:urlpassword => "open." + @election.id.to_s,
                           :kiosk => true)) %>
        (<%= kiosk_ready_url(:urlpassword => "open." + @election.id.to_s, :kiosk => true) %>)
  <% end %>
</ul>
<% end -%>

<div class="normal-header">
  <span class="header">Candidates</span>
  <span class="subheader"></span>
</div>


<% if not (@election.active? or @election.done?) %>
  <p style="text-align: right;">
    <%= link_to "Edit Candidates",
               :action => 'edit_candidates', :id => @election.id %></p>
<% end %>


<% if @election.candidates.empty? %>
  <p><em>There are currently no candidates registered.</em>
     <%= link_to "Add some!", :action => 'edit_candidates', :id => @election.id %>
  </p>
<% else %>
  <%= render :partial => 'candidate_list' %>
<% end %>

<div class="normal-header">
  <span class="header">Voters</span>
  <span class="subheader"></span>
</div>

<% if not (@election.active?  or @election.done?) %>
<p style="text-align: right;">
  <%= link_to "Change Voters/Options",
              :action => 'edit_voters', :id => @election.id %></p>
<% end %>

<% if not @election.authenticated? %>
  <p><em>This election is open the public.</em></p>
<% elsif @election.voters.empty? %>
  <p><em>There are currently no voters registered. </em>
     <%= link_to "Add some!", :action => 'edit_voters',
                 :id => @election.id %></p>
<% else %>
  <%= render :partial => 'voter_list' %>
  <p><em><%= link_to "Add or remove voters.", :action => 'edit_voters',
              :id => @election.id unless @election.active? or @election.done? %>
  </em></p>
<% end %>

<% if not (@election.active? or @election.done?)  %>

<div class="normal-header">
  <span class="header">Start Election</span>
  <span class="subheader"></span>
</div>

  <% if @election.start_blockers.length > 0 %>
    <p>Your vote cannot be started for the following reasons:</p>
    <ul>
    <% for reason in @election.start_blockers %>
    <li><%= reason %></li>
    <% end %>
    </ul>
  <% else %>
    <p>Please check everything carefully on this page before starting this
    vote. Once you begin the vote, you will <em>not</em> be able to add or
    change candidates, modify the voting lists, or change the end
    time.</p>

    <p>When you begin the vote, the following will happen:</p>

    <ul>
    <li>The vote will be "frozen" so that further edits to the
        candidate list and voting list cannot occur.</li>
    <% if @election.authenticated? %>
    <li>All voters will be emailed notifying them that the vote has
        begun and of their unique login token.</li>
    <% end %>
    </ul>

    <%= button_to 'Start Election!', :action => 'start_election', :id => @election.id %>
  <% end %>

<% elsif @election.embeddable? %>

<div class="normal-header">
  <span class="header">Embedding</span>
  <span class="subheader"></span>
</div>


<p>To embed your election, copy and paste the following code into your
homepage:</p>

<pre><%= h("<iframe src='") + votepassword_url(:urlpassword => "open." + @election.id.to_s, :embed => "true") + h("' width='330px' height='#{(@election.candidates.length+2)*53}px'>" ) %>
<%= h("</iframe>") %></pre>

<% end %>