fix security issue

[selectricity] / old_api_code / selectricity_service.rb

# Selectricity: Voting Machinery for the Masses
# Copyright (C) 2007, 2008 Benjamin Mako Hill <mako@atdot.cc>
# Copyright (C) 2007 Massachusetts Institute of Technology
#
# This program is free software. Please see the COPYING file for
# details.

require 'action_controller/integration'

class SelectricityService < ActionWebService::Base
  web_service_api SelectricityAPI

  ## Casts a quickvote.
  ## Expects a quickvote name, a voter ID, and a list of candidate ID's respectively.
  ## Returns a string containing any potential errors that occurred in the process.
  def cast_quickvote(election_name, voter_id, vote_list)
    election = QuickVote.ident_to_quickvote election_name
    if election
      candidates=election.candidates.collect { |c| c.id }
      vote_list[0].each do |vote|
        raise ArgumentError.new("Invalid Candidate ID #{vote}") unless candidates.index(vote)
      end
      raise ArgumentError.new("You must rank all candidates") unless candidates.length <= vote_list[0].length
      raise ArgumentError.new("Please rank each candidate only once") if vote_list[0].uniq!
      voter = QuickVoter.new
      voter.election = election
      voter.ipaddress = "XMLRPC Request"
      voter.session_id = "XMLRPC:#{voter_id}"
      voter.vote=Vote.new
      voter.vote.votes=vote_list[0]
      voter.vote.time = Time.now
      voter.save!
      voter.vote.confirm!
      voter.save!
    else
      raise ArgumentError.new("Cannot find election #{election_name}")
    end
  end

  ## Converts QuickVote candidate ID's to names
  ## Takes in a QuickVote name and a list of candidate ID's, and returns the names of
  ## each candidate. Useful for doing just a few lookups; it's more efficient to use
  ## get_quickvote_candidate_map for presenting info about an entire election.
  def quickvote_candidate_ids_to_names(shortname, id_list)
    qv=QuickVote.ident_to_quickvote(shortname)
    candidates={}
    raise ArgumentError.new("Quickvote by name #{shortname} doesn't exist") unless qv
    qv.results
    qv.candidates.each {|c| candidates[c.id] = c}
    results=[]
    id_list.each { |id|
      name=candidates[id]
      if name
        results << name
      else
        results << ""
      end
    }
    results
  end

  ## Return the results of a QuickVote.
  ## Takes in the name of a quickvote, and returns a structure as described by
  ## QuickVoteResultStruct
  def get_quickvote_results(shortname)
    #TODO: Validate shortname
    qv=QuickVote.ident_to_quickvote(shortname)
    result=QuickVoteResultStruct.new
    unless qv
      raise ArgumentError.new("No quickvote with name #{shortname} found!")
    end
    qv.results
    result.plurality_winners=qv.plurality_result.winners
    result.approval_winners=qv.approval_result.winners
    result.condorcet_winners=qv.condorcet_result.winners
    result.ssd_winners=qv.ssd_result.winners
    result.borda_winners=qv.borda_result.winners
    result
  end

  ## Returns information regarding all the candidates in a QuickVote
  ## Takes in a QuickVote name, and returns the list of names and ID's of candidates
  ## This can be useful for presenting the user with a list of readable names, while
  ## the software sends results to us in the numeric ID's we require. The two lists are in
  ## respective order.
  def get_quickvote_candidate_map(shortname)
    qv=QuickVote.ident_to_quickvote(shortname)
    result=QuickVoteCandidateMap.new
    unless qv
      raise ArgumentError.new("No quickvote with name #{shortname} found!")
    end
    candidates={}
    qv.candidates.each {|c| candidates[c.id] = c.name}
    result.candidate_ids=candidates.keys
    result.candidate_names=candidates.values
    result
  end

  ## Get information on all the votes cast in a QuickVote
  ## Takes in the name of a QuickVote, returns an array of QuickVoterInfo structures.
  def get_quickvote_votes(shortname)
    qv = QuickVote.ident_to_quickvote(shortname)

    unless qv
      raise ArgumentError.new("Cannot find QuickVote #{shortname}")
    end

    qv.votes.collect do |vote|
       QuickVoterInfo.new(:voter_id => vote.voter.id,
                    :voter_ipaddress => vote.voter.ipaddress,
                    :vote_time => vote.time.to_i,
                    :vote => vote.votes,
                    :voter_session_id => vote.voter.session_id)
    end
  end

  ## Gets a list of all QuickVotes in the system.
  def list_quickvotes()
    QuickVote.find(:all).collect do |election|
      get_quickvote(election.name)
    end
  end

  ## Gets information on a particular QuickVote
  ## Takes in a QuickVote name
  def get_quickvote(shortname)
    unless election = QuickVote.ident_to_quickvote(shortname)
      raise ArgumentError.new("Cannot find QuickVote named #{shortname}")
    end

    QuickVoteStruct.new(
      :id => election.id,
      :name => election.name,
      :description => election.description,
      :candidate_ids => election.candidates.collect {|c| c.id },
      :candidate_names => election.candidates.collect {|c| c.name } )
  end

  ## Create a QuickVote
  ## Pass in a QuickVoteStruct populated with all the fields but the candidate ID's
  ## Any candidate ID's you fill in will be ignored anyway.
  def create_quickvote(election)
    qv = QuickVote.new(:name => election.name,
                       :description => election.description)
    qv.candidate_names = election.candidate_names

    if qv.save
      return ""
    else
      raise ArgumentError.new("Saving quickvote FAILED:"+qv.errors.inspect)
    end
  end

end