From 0ae55a359f776d2de4a6442449a57d39dc66f9f3 Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Mon, 3 Oct 2011 07:19:58 -0700
Subject: [PATCH] fixed privacy leak in castvote view with aliased voters

---
 helios/templates/castvote.html | 6 +++---
 helios/views.py                | 2 +-
 server_ui/templates/base.html  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/helios/templates/castvote.html b/helios/templates/castvote.html
index 68197c5..bcba4ae 100644
--- a/helios/templates/castvote.html
+++ b/helios/templates/castvote.html
@@ -6,10 +6,10 @@
 cast in <a href="{% url helios.views.one_election_view election.uuid %}">{{election.name}}</a><br />
 Fingerprint: <tt>{{cast_vote.vote_hash}}</tt><br />
 by <b><u>
-{% if voter.alias %}
-{{voter.alias}}
+{% if the_voter.alias %}
+{{the_voter.alias}}
 {% else %}
-{{voter.name}}
+{{the_voter.name}}
 {% endif %}
 </u></b>
 <br /><br />
diff --git a/helios/views.py b/helios/views.py
index 2409e41..30fd9c2 100644
--- a/helios/views.py
+++ b/helios/views.py
@@ -175,7 +175,7 @@ def election_vote_shortcut(request, election_short_name):
 
 @election_view()
 def _castvote_shortcut_by_election(request, election, cast_vote):
-  return render_template(request, 'castvote', {'cast_vote' : cast_vote, 'vote_content': cast_vote.vote.toJSON(), 'voter': cast_vote.voter, 'election': election})
+  return render_template(request, 'castvote', {'cast_vote' : cast_vote, 'vote_content': cast_vote.vote.toJSON(), 'the_voter': cast_vote.voter, 'election': election})
   
 def castvote_shortcut(request, vote_tinyhash):
   try:
diff --git a/server_ui/templates/base.html b/server_ui/templates/base.html
index acbbc84..5421fd7 100644
--- a/server_ui/templates/base.html
+++ b/server_ui/templates/base.html
@@ -50,7 +50,7 @@ logged in as {{user.display_html_small|safe}}
 [<a href="{% url auth.views.logout %}?return_url={{CURRENT_URL}}">logout</a>]<br />
 {% else %}
 {% if voter %}
-You are signed in as voter <u>{{voter.name}}</u> in election <u>{{voter.election.name}}</u>. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.logout %}?return_url={{CURRENT_URL}}">sign out</a>]
+You are signed in as voter <u>{% if voter.alias %}{{voter.alias}}{% else %}{{voter.name}}{% endif %}</u> in election <u>{{voter.election.name}}</u>. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.logout %}?return_url={{CURRENT_URL}}">sign out</a>]
 {% else %}
 not logged in. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.index %}?return_url={{CURRENT_URL}}">log in</a>]
 {% endif %}
-- 
GitLab