Skip to content

Commit

Permalink
@pierluca's comments
Browse files Browse the repository at this point in the history
- check doesn't work
- use variable for randomizing vote ID
  • Loading branch information
ineiti committed Oct 4, 2023
1 parent 86c7c5e commit 61d7ac9
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 15 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,7 @@ Latest changes in each category go to the top
### Fixed
- File formatting and errors in comments
- Popup when voting and some voting translation fixes
- Fixed return error when voting

### Security
- Use `REACT_APP_RANDOMIZE_VOTE_ID === 'true'` to indicate randomizing vote ids
4 changes: 3 additions & 1 deletion scripts/local_vars.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,9 @@ export DB_PATH="$(pwd)/nodes/llmdb"
# The following two variables can be set to see log output from dela:
#export PROXY_LOG=info
#export LLVL=info
# If this is set, you can login without Gaspar
# Logging in without Gaspar and SCIPER 100100
export REACT_APP_DEV_LOGIN="true"
# uncomment this to enable TLS to test gaspar
#export HTTPS=true
# Create random voter-IDs to allow easier testing
export REACT_APP_RANDOMIZE_VOTE_ID="true"
27 changes: 13 additions & 14 deletions web/backend/src/controllers/dela.ts
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,7 @@ delaRouter.delete('/forms/:formID', (req, res) => {
// request that needs to go the DELA nodes
delaRouter.use('/*', (req, res) => {
if (!req.session.userId) {
res.status(400).send('Unauthorized');
res.status(401).send('Authentication required!');
return;
}

Expand All @@ -242,24 +242,23 @@ delaRouter.use('/*', (req, res) => {
// special case for voting
const match = req.baseUrl.match('/api/evoting/forms/(.*)/vote');
if (match) {
if (!req.session.userId) {
res.status(401).send('Authentication required!');
return;
}
if (!isAuthorized(req.session.userId, match[1], PERMISSIONS.ACTIONS.VOTE)) {
res.status(400).send('Unauthorized');
return;
}

// We must set the UserID to know who this ballot is associated to. This is
// only needed to allow users to cast multiple ballots, where only the last
// ballot is taken into account. To preserve anonymity, the web-backend could
// translate UserIDs to another random ID.
// bodyData.UserID = req.session.userId.toString();

// DEBUG: this is only for debugging and needs to be replaced before production
console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes');
bodyData.UserID = makeid(10);
if (process.env.REACT_APP_RANDOMIZE_VOTE_ID === 'true') {
// DEBUG: this is only for debugging and needs to be replaced before production
console.warn('DEV CODE - randomizing the SCIPER ID to allow for unlimited votes');
bodyData.UserID = makeid(10);
} else {
// We must set the UserID to know who this ballot is associated to. This is
// only needed to allow users to cast multiple ballots, where only the last
// ballot is taken into account. To preserve anonymity, the web-backend could
// translate UserIDs to another random ID.

bodyData.UserID = req.session.userId.toString();
}
}

const dataStr = JSON.stringify(bodyData);
Expand Down

0 comments on commit 61d7ac9

Please sign in to comment.