[BUG] Unauthorized Poll Creation on Others' Proposals

[NabinKawan]

Context & versions

Able to add poll on others' proposal

Steps to reproduce

Send a POST request to create a poll on another user's proposal using the following curl command:

curl 'https://dev.api.pdf.gov.tools/api/polls' \
-H 'accept: application/json, text/plain, /' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authorization: Bearer <Token>' \
-H 'content-type: application/json' \
-H 'origin: https://dev.gov.tools/' \
-H 'priority: u=1, i' \
-H 'referer: https://dev.gov.tools/' \
-H 'sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-site' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' \
--data-raw '{"data":{"proposal_id":"11","poll_start_dt":"2024-06-07T08:49:08.498Z","is_poll_active":true}}'
{"data":{"id":12,"attributes":{"proposal_id":"11","poll_yes":0,"poll_no":0,"poll_start_dt":"2024-06-07T08:49:08.498Z","is_poll_active":true,"createdAt":"2024-06-07T08:54:59.844Z","updatedAt":"2024-06-07T08:54:59.844Z"}},"meta":{}}

Here, I'm able to add a poll in proposal-id: 11. This will also reset already existing polls.

Actual behavior

A poll is successfully created on another user's proposal.

Expected behavior

The system should block the creation of polls on proposals that do not belong to the authenticated user.

[bosko-m]

@spannercode Can you check if this is still the case?

[kneerose]

@bosko-m This issue is still occurring: I am able to add a poll to proposals that do not belong to me.

script

 curl 'https://z74f91f2d-zb0719f09-gtw.z937eb260.rustrocks.fr/api/polls'   -H 'accept: application/json, text/plain, */*' \
   -H 'accept-language: en,en-GB;q=0.9,en-US;q=0.8' \
   -H 'authorization: Bearer  <Use Your Token>' \
   -H 'content-type: application/json' \
   -H 'origin: https://dev-sanchonet.govtool.byron.network' \
   -H 'priority: u=1, i' \
   -H 'referer: https://dev-sanchonet.govtool.byron.network/' \
   -H 'sec-ch-ua: "Chromium";v="130", "Google Chrome";v="130", "Not?A_Brand";v="99"' \
   -H 'sec-ch-ua-mobile: ?0' \
   -H 'sec-ch-ua-platform: "Linux"' \
   -H 'sec-fetch-dest: empty' \
   -H 'sec-fetch-mode: cors' \
   -H 'sec-fetch-site: cross-site' \
   -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36' \
   --data \
-raw '{"data":{"proposal_id":"1958","poll_start_dt":"2024-11-05T09:12:56.920Z","is_poll_active":true}}'

For further details, please refer to this
https://www.loom.com/share/1879b6ec318f4627b0abf0326a95e3f5?sid=4f6924eb-0b1e-40e4-9fa7-6aee6cc02a2a

Here Proposal 1958 does not belong to me, but I am still able to add a poll to it.

[bosko-m]

Thank you @kneerose . That makes this P0.

[bosko-m]

@kneerose Feel free to test this again on dev.

[kneerose]

@bosko-m This issue is still occurring on the development environment.

https://www.loom.com/share/b9827619b138403fb9fa85ddc2344ad6?sid=d4bfb9bf-a1b0-4ec3-816d-5fa7626c8ee9

[kneerose]

Additionally, users can submit multiple votes on the same proposal poll using the same user authentication
related ticket -> #2356

[bosko-m]

@kneerose @spannercode You are free to test it again.

[kneerose]

CC: @bosko-m
Based on the provided response, the issue now appears to be resolved.