dépôts / cavote.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d7497ce)
[PATCH] by julm - fix missing check that choice belongs to current vote
authorJulien Rabier <taziden@flexiden.org>
Wed, 13 Aug 2014 14:18:43 +0000 (16:18 +0200)
committerJulien Rabier <taziden@flexiden.org>
Wed, 13 Aug 2014 14:18:43 +0000 (16:18 +0200)
main.py patch | blob | history

diff --git a/main.py b/main.py
index 0d673e5..253fb87 100755 (executable)
--- a/main.py
+++ b/main.py
@@ -467,15 +467,17 @@ def vote(idvote):
     if vote is None:
         abort(404)
     if can_see_vote(idvote, get_userid()):
+        choices = query_db('select name, id from choices where id_vote=?', [idvote])
         if request.method == 'POST':
             if can_vote(idvote, get_userid()):
                 if vote['is_multiplechoice'] == 0:
-                    if query_db('select * from choices where id = ?', [request.form['choice']], one=True) is not None:
-                        g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)', 
-                                [session.get('user').get('id'), request.form['choice']])
+                    choice = request.form['choice']
+                    if choice in [str(c['id']) for c in choices] \
+                        and query_db('select * from choices where id = ?', [choice], one=True) is not None:
+                        g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
+                        [session.get('user').get('id'), request.form['choice']])
                         g.db.commit()
                 else:
-                    choices = query_db('select name, id from choices where id_vote=?', [idvote])
                     for choice in choices:
                         if str(choice['id']) in request.form.keys():
                             g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
cavote