fix security issue

[selectricity] / app / controllers / voter_controller.rb

diff --git a/app/controllers/voter_controller.rb b/app/controllers/voter_controller.rb
index 9e88e9e282b048cfe1b0e9177081fc1300424873..78f9a0cdef8da7de802f83800c6484b470500f8e 100644 (file)
--- a/app/controllers/voter_controller.rb
+++ b/app/controllers/voter_controller.rb
@@ -17,6 +17,7 @@
 # <http://www.gnu.org/licenses/>.
 
 class VoterController < ApplicationController
+  helper :sparklines
   layout 'main'
   require_dependency "voter"
   require_dependency "vote"
@@ -26,11 +27,12 @@ class VoterController < ApplicationController
     if params[:election_id]
       @election = Election.find(params[:election_id])
       unless @election.authenticated?
-        @voter = Voter.find(:all,
+        @voter = OpenVoter.find(:all,
           :conditions => ["session_id = ? and election_id = ?",
           session.session_id, @election.id])[0]
       
-        @voter = Voter.new unless @voter
+
+        @voter = OpenVoter.new unless @voter
 
         @voter.election = @election
         @voter.session_id = session.session_id
@@ -52,7 +54,7 @@ class VoterController < ApplicationController
         @voter.vote = Vote.new 
         @voter.save
       end
-      
+    
       @voter.vote.set_defaults! if @voter.vote.rankings.empty?
 
       # if the election is now finished 
@@ -106,8 +108,8 @@ class VoterController < ApplicationController
   def details
     if authenticate
       @election = @voter.election
-      @votes = @election.votes.select {|v| v.confirmed? }.randomize
-      @voters = @votes.collect {|v| v.voter}.randomize
+      @votes = @election.votes.select {|v| v.confirmed? }.shuffle
+      @voters = @votes.collect {|v| v.voter}.shuffle
       render :action => 'details'
     else
       redirect_to :action => 'index'
@@ -126,16 +128,18 @@ class VoterController < ApplicationController
 
   def confirm
     if authenticate
-      @voter.vote.confirm!
-
-      if @voter.election.embeddable? and params[:embed] == "true" \
-        and @voter.election.early_results?
-        redirect_to :action => :results, :id => @password, :embed => 'true'
+      if @voter.vote.confirm!
+        if @voter.election.embeddable? and params[:embed] == "true" \
+          and @voter.election.early_results?
+          redirect_to :action => :results, :id => @password, :embed => 'true'
+        else
+          render :action => 'thanks'
+        end
       else
-        render :action => 'thanks'
+        redirect_to :action => 'index'
       end
     else
-      redirect_to :action => 'index'
+        redirect_to :action => 'index'
     end
   end
   
@@ -192,12 +196,22 @@ class VoterController < ApplicationController
     password = params[:id]
     if password == "open"
       election = Election.find(params[:format])
+
+      # double check to make sure the election is not authenticated
       unless election.authenticated?
-        @voter = Voter.find(:all,
+        @voter = OpenVoter.find(:all,
           :conditions => ["session_id = ? and election_id = ?",
                           session.session_id, election.id])[0]
+
+        # if the election is over, proceed
+        if (not @voter) and (election.enddate < Time.now)
+          @voter = OpenVoter.new
+          @voter.election = election
+        end
+
         @password = "open." + election.id.to_s
       end
+
     else
       @voter = FullVoter.find(:all,
         :conditions => [ "password = ?", password ] )[0]