[PATCH] by julm - fix missing check that choice belongs to current vote

[cavote.git] / main.py

diff --git a/main.py b/main.py
index f2db15b..253fb87 100755 (executable)
--- a/main.py
+++ b/main.py
@@ -18,7 +18,7 @@ import string
 
 from settings import *
 
-app = Flask(__name__) 
+app = Flask(__name__)
 app.config.from_object(__name__)
 
 oid = OpenID(app)
@@ -87,7 +87,7 @@ def keygen():
 
 def get_userid():
     user = session.get('user')
-    if user is None: 
+    if user is None:
         return -1
     elif user.get('id') < 0:
         return -1
@@ -311,7 +311,7 @@ def admin_user_add():
                 flash(u'Il existe déjà un compte pour cette adresse e-mail : ' + request.form['email'], 'error')
         else:
             flash(u"Vous devez spécifier une adresse email.", 'error')
-    groups = query_db('select * from groups where system=0') 
+    groups = query_db('select * from groups where system=0')
     return render_template('admin_user_new.html', groups=groups)
 
 @app.route('/admin/users/edit/<iduser>', methods=['GET', 'POST'])
@@ -352,7 +352,7 @@ def admin_user_edit(iduser):
                 flash(u'Le nom ' + request.form['name'] + u' est déjà pris ! Veuillez en choisir un autre.', 'error')
         else:
             flash(u'Il existe déjà un compte pour cette adresse e-mail : ' + request.form['email'], 'error')
-    groups = query_db('select * from groups where system=0') 
+    groups = query_db('select * from groups where system=0')
     return render_template('admin_user_edit.html', user=user, groups=groups)
 
 @app.route('/admin/users/delete/<iduser>')
@@ -427,7 +427,7 @@ def votes(votes):
         abort(404)
     for vote in votes:
         if not vote.get('nb_votes'):
-            vote['nb_votes'] = 0 
+            vote['nb_votes'] = 0
         if vote.get('max_votes'):
             vote['percent'] = int((float(vote['nb_votes']) / float(vote['max_votes'])) * 100)
     return render_template('votes.html', votes=votes, active_button=active_button)
@@ -450,8 +450,8 @@ def can_vote(idvote, iduser=-1):
     if vote is None:
         return False
     if vote['is_terminated'] == 0:
-        if iduser > 0: 
-            if can_see_vote(idvote, iduser): 
+        if iduser > 0:
+            if can_see_vote(idvote, iduser):
                 if not has_voted(idvote, iduser):
                     if query_db('select * from user_group where id_user = ? and id_group = ?', [iduser, vote['id_group']], one=True):
                         return True
@@ -467,18 +467,20 @@ def vote(idvote):
     if vote is None:
         abort(404)
     if can_see_vote(idvote, get_userid()):
+        choices = query_db('select name, id from choices where id_vote=?', [idvote])
         if request.method == 'POST':
             if can_vote(idvote, get_userid()):
                 if vote['is_multiplechoice'] == 0:
-                    if query_db('select * from choices where id = ?', [request.form['choice']], one=True) is not None:
-                        g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)', 
-                                [session.get('user').get('id'), request.form['choice']])
+                    choice = request.form['choice']
+                    if choice in [str(c['id']) for c in choices] \
+                        and query_db('select * from choices where id = ?', [choice], one=True) is not None:
+                        g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
+                        [session.get('user').get('id'), request.form['choice']])
                         g.db.commit()
                 else:
-                    choices = query_db('select name, id from choices where id_vote=?', [idvote])
                     for choice in choices:
                         if str(choice['id']) in request.form.keys():
-                            g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)', 
+                            g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
                                     [session.get('user').get('id'), choice['id']])
                             g.db.commit()
             else:
@@ -556,7 +558,7 @@ def admin_vote_add():
                 g.db.execute('insert into votes (title, description, category, date_begin, date_end, is_transparent, is_public, is_multiplechoice, id_group, id_author) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
                         [request.form['title'], request.form['description'], request.form['category'], date_begin, date_end, transparent, public, multiplechoice, group['id'], session['user']['id']])
                 g.db.commit()
-                vote = query_db('select * from votes where title = ? and date_begin = ? order by id desc', 
+                vote = query_db('select * from votes where title = ? and date_begin = ? order by id desc',
                         [request.form['title'], date_begin], one=True)
                 if vote is None:
                     flash(u'Une erreur est survenue !', 'error')
@@ -573,7 +575,7 @@ def admin_vote_add():
                 flash(u'Le titre que vous avez choisi est déjà pris.', 'error')
         else:
             flash(u'Vous devez spécifier un titre.', 'error')
-    groups = query_db('select * from groups') 
+    groups = query_db('select * from groups')
     return render_template('admin_vote_new.html', groups=groups, patterns=PATTERNS)
 
 @app.route('/admin/votes/edit/<voteid>', methods=['GET', 'POST'])
@@ -636,7 +638,7 @@ def admin_vote_edit(voteid):
         else:
             flash(u'Vous devez spécifier un titre.', 'error')
     vote['duration'] = (datetime.strptime(vote['date_end'], "%Y-%m-%d") - datetime.strptime(vote['date_begin'], "%Y-%m-%d")).days
-    group = query_db('select name from groups where id = ?', [vote['id_group']], one=True) 
+    group = query_db('select name from groups where id = ?', [vote['id_group']], one=True)
     choices = query_db('select * from choices where id_vote = ?', [voteid])
     attachments = query_db('select * from attachments where id_vote = ?', [voteid])
     if date.today().strftime("%Y-%m-%d") > vote['date_end']: