Skip to content

Commit

Permalink
fix: being able to submit multiple votes
Browse files Browse the repository at this point in the history 
There was a missing policy check when casting the vote. So the script managed to add the vote to the alternative, but then failed when trying to register the user as casted vote (MYSQL dupe error).

This commit fixes it and enforces a better policy when casting a vote not making this possible anymore.
  • Loading branch information
@blt950
blt950 committed Mar 25, 2024
1 parent e9954bb commit e7c8117
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 28 deletions.
2 changes: 2 additions & 0 deletions app/Http/Controllers/VoteController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,8 @@ public function update(Request $request, $id)
{
$vote = Vote::findOrFail($id);

$this->authorize('vote', [Vote::class, $vote]);

if (! $this->isVoteValid($vote)) {
return back()->withInput()->withErrors('You vote could not be registered. The vote deadline has passed.');
}
Expand Down
5 changes: 5 additions & 0 deletions app/Policies/VotePolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,10 +49,15 @@ public function store(User $user)
*/
public function vote(User $user, Vote $vote)
{

if ($vote->closed) {
return Response::deny('The vote closed and concluded at ' . Carbon::create($vote->end_at)->toEuropeanDateTime());
}

if ($vote->user->contains('id', $user->id)) {
return Response::deny('You have already voted.');
}

if ($vote->require_member) {
if ($user->subdivision != config('app.owner_code')) {
return Response::deny('Sorry, you do not qualify to participate in this vote. You must belong to ' . config('app.owner_name') . ' to vote.');
Expand Down
49 changes: 21 additions & 28 deletions resources/views/vote/show.blade.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,34 +15,27 @@

@can('vote', $vote)

@if($vote->user()->where('user_id', \Auth::user()->id)->exists())

<p><i class="fas fa-check"></i> You've already voted.</p>

@else
<form action="{{ route('vote.update', $vote->id) }}" method="POST">
@method('PATCH')
@csrf

@foreach( $vote->option as $votefor )
<div class="form-check">
<input class="form-check-input" type="radio" name="vote" id="{{ $votefor->option }}" value="{{ $votefor->id }}">
<label class="form-check-label" for="{{ $votefor->option }}">
{{ $votefor->option }}
</label>
</div>
@endforeach
@error('vote')
<span class="text-danger">{{ $errors->first('vote') }}</span>
@enderror

<br>
<p class="text-muted">Your vote is secret and can not be traced. The vote is final and cannot be changed.</p>
<button type="submit" class="btn btn-success">Submit Vote</button>

</form>

@endif
<form action="{{ route('vote.update', $vote->id) }}" method="POST">
@method('PATCH')
@csrf

@foreach( $vote->option as $votefor )
<div class="form-check">
<input class="form-check-input" type="radio" name="vote" id="{{ $votefor->option }}" value="{{ $votefor->id }}">
<label class="form-check-label" for="{{ $votefor->option }}">
{{ $votefor->option }}
</label>
</div>
@endforeach
@error('vote')
<span class="text-danger">{{ $errors->first('vote') }}</span>
@enderror

<br>
<p class="text-muted">Your vote is secret and can not be traced. The vote is final and cannot be changed.</p>
<button type="submit" class="btn btn-success">Submit Vote</button>

</form>

@else
<p class="text-danger">{{ Gate::inspect('vote', $vote)->message() }}</p>
Expand Down

0 comments on commit e7c8117

Please sign in to comment.