]> projects.mako.cc - selectricity/blobdiff - app/controllers/voter_controller.rb
fix security issue
[selectricity] / app / controllers / voter_controller.rb
index d7f589db7f9d0b1d2e62d4806e11db686fd67ed3..78f9a0cdef8da7de802f83800c6484b470500f8e 100644 (file)
@@ -31,6 +31,7 @@ class VoterController < ApplicationController
           :conditions => ["session_id = ? and election_id = ?",
           session.session_id, @election.id])[0]
       
+
         @voter = OpenVoter.new unless @voter
 
         @voter.election = @election
@@ -127,16 +128,18 @@ class VoterController < ApplicationController
 
   def confirm
     if authenticate
-      @voter.vote.confirm!
-
-      if @voter.election.embeddable? and params[:embed] == "true" \
-        and @voter.election.early_results?
-        redirect_to :action => :results, :id => @password, :embed => 'true'
+      if @voter.vote.confirm!
+        if @voter.election.embeddable? and params[:embed] == "true" \
+          and @voter.election.early_results?
+          redirect_to :action => :results, :id => @password, :embed => 'true'
+        else
+          render :action => 'thanks'
+        end
       else
-        render :action => 'thanks'
+        redirect_to :action => 'index'
       end
     else
-      redirect_to :action => 'index'
+        redirect_to :action => 'index'
     end
   end
   
@@ -193,12 +196,22 @@ class VoterController < ApplicationController
     password = params[:id]
     if password == "open"
       election = Election.find(params[:format])
+
+      # double check to make sure the election is not authenticated
       unless election.authenticated?
         @voter = OpenVoter.find(:all,
           :conditions => ["session_id = ? and election_id = ?",
                           session.session_id, election.id])[0]
+
+        # if the election is over, proceed
+        if (not @voter) and (election.enddate < Time.now)
+          @voter = OpenVoter.new
+          @voter.election = election
+        end
+
         @password = "open." + election.id.to_s
       end
+
     else
       @voter = FullVoter.find(:all,
         :conditions => [ "password = ?", password ] )[0]

Benjamin Mako Hill || Want to submit a patch?