Scope requests to view and edit vote record to only the specified ele…

…ction (#90) The controllers to view and to edit a voter's submission in an election now search for that vote record within the scope of the ID of the election. Otherwise, the controller will find the first vote that user submitted for any election in the system and attempt to decrypt that vote using the supplied password.
elekto-io · Jun 20, 2023 · 131633d · 131633d
1 parent a8037a3
commit 131633d
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/elekto/controllers/elections.py b/elekto/controllers/elections.py
@@ -149,7 +149,7 @@ def elections_view(eid):
     election = meta.Election(eid)
     voters = election.voters()
     e = SESSION.query(Election).filter_by(key=eid).first()
-    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id).first()
+    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id,election_id=e.id).first()
 
     passcode = F.request.form["password"]
 
@@ -175,7 +175,7 @@ def elections_view(eid):
 def elections_edit(eid):
     election = meta.Election(eid)
     e = SESSION.query(Election).filter_by(key=eid).first()
-    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id).first()
+    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id,election_id=e.id).first()
 
     passcode = F.request.form["password"]