From 0ae55a359f776d2de4a6442449a57d39dc66f9f3 Mon Sep 17 00:00:00 2001 From: Ben Adida <ben@adida.net> Date: Mon, 3 Oct 2011 07:19:58 -0700 Subject: [PATCH] fixed privacy leak in castvote view with aliased voters --- helios/templates/castvote.html | 6 +++--- helios/views.py | 2 +- server_ui/templates/base.html | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/helios/templates/castvote.html b/helios/templates/castvote.html index 68197c5..bcba4ae 100644 --- a/helios/templates/castvote.html +++ b/helios/templates/castvote.html @@ -6,10 +6,10 @@ cast in <a href="{% url helios.views.one_election_view election.uuid %}">{{election.name}}</a><br /> Fingerprint: <tt>{{cast_vote.vote_hash}}</tt><br /> by <b><u> -{% if voter.alias %} -{{voter.alias}} +{% if the_voter.alias %} +{{the_voter.alias}} {% else %} -{{voter.name}} +{{the_voter.name}} {% endif %} </u></b> <br /><br /> diff --git a/helios/views.py b/helios/views.py index 2409e41..30fd9c2 100644 --- a/helios/views.py +++ b/helios/views.py @@ -175,7 +175,7 @@ def election_vote_shortcut(request, election_short_name): @election_view() def _castvote_shortcut_by_election(request, election, cast_vote): - return render_template(request, 'castvote', {'cast_vote' : cast_vote, 'vote_content': cast_vote.vote.toJSON(), 'voter': cast_vote.voter, 'election': election}) + return render_template(request, 'castvote', {'cast_vote' : cast_vote, 'vote_content': cast_vote.vote.toJSON(), 'the_voter': cast_vote.voter, 'election': election}) def castvote_shortcut(request, vote_tinyhash): try: diff --git a/server_ui/templates/base.html b/server_ui/templates/base.html index acbbc84..5421fd7 100644 --- a/server_ui/templates/base.html +++ b/server_ui/templates/base.html @@ -50,7 +50,7 @@ logged in as {{user.display_html_small|safe}} [<a href="{% url auth.views.logout %}?return_url={{CURRENT_URL}}">logout</a>]<br /> {% else %} {% if voter %} -You are signed in as voter <u>{{voter.name}}</u> in election <u>{{voter.election.name}}</u>. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.logout %}?return_url={{CURRENT_URL}}">sign out</a>] +You are signed in as voter <u>{% if voter.alias %}{{voter.alias}}{% else %}{{voter.name}}{% endif %}</u> in election <u>{{voter.election.name}}</u>. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.logout %}?return_url={{CURRENT_URL}}">sign out</a>] {% else %} not logged in. [<a href="{{settings.SECURE_URL_HOST}}{% url auth.views.index %}?return_url={{CURRENT_URL}}">log in</a>] {% endif %} -- GitLab