From 40742e9471c6c87b94022685a2b2b0cb0c4c9d4f Mon Sep 17 00:00:00 2001 From: Linus Gasser Date: Thu, 28 Sep 2023 11:06:01 +0200 Subject: [PATCH] Fixing voting Using the endpoint 'forms/:formID/vote' doesn't work with the sendToDela method --- web/backend/src/controllers/dela.ts | 49 ++++++++++++++--------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/web/backend/src/controllers/dela.ts b/web/backend/src/controllers/dela.ts index 7253e4932..5129ccadf 100644 --- a/web/backend/src/controllers/dela.ts +++ b/web/backend/src/controllers/dela.ts @@ -177,31 +177,6 @@ delaRouter.use('/services/shuffle/:formID', (req, res, next) => { next(); }); -delaRouter.post('/forms/:formID/vote', (req, res) => { - if (!req.session.userId) { - res.status(401).send('Authentication required!'); - return; - } - if (!isAuthorized(req.session.userId, req.params.formID, PERMISSIONS.ACTIONS.VOTE)) { - res.status(400).send('Unauthorized'); - return; - } - - // We must set the UserID to know who this ballot is associated to. This is - // only needed to allow users to cast multiple ballots, where only the last - // ballot is taken into account. To preserve anonymity, the web-backend could - // translate UserIDs to another random ID. - // bodyData.UserID = req.session.userId.toString(); - - // DEBUG: this is only for debugging and needs to be replaced before production - const bodyData = req.body; - console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes'); - bodyData.UserID = makeid(10); - - const dataStr = JSON.stringify(bodyData); - sendToDela(dataStr, req, res); -}); - delaRouter.delete('/forms/:formID', (req, res) => { if (!req.session.userId) { res.status(401).send('Unauthenticated'); @@ -263,6 +238,30 @@ delaRouter.use('/*', (req, res) => { } const bodyData = req.body; + + // special case for voting + const match = req.baseUrl.match('/api/evoting/forms/(.*)/vote'); + if (match) { + if (!req.session.userId) { + res.status(401).send('Authentication required!'); + return; + } + if (!isAuthorized(req.session.userId, match[1], PERMISSIONS.ACTIONS.VOTE)) { + res.status(400).send('Unauthorized'); + return; + } + + // We must set the UserID to know who this ballot is associated to. This is + // only needed to allow users to cast multiple ballots, where only the last + // ballot is taken into account. To preserve anonymity, the web-backend could + // translate UserIDs to another random ID. + // bodyData.UserID = req.session.userId.toString(); + + // DEBUG: this is only for debugging and needs to be replaced before production + console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes'); + bodyData.UserID = makeid(10); + } + const dataStr = JSON.stringify(bodyData); sendToDela(dataStr, req, res);