Hide voters hashes in running election

api/views.py

+import re
+
 import pytz
+from django.conf import settings
 from django.http import JsonResponse
 from django.views.generic import TemplateView, View
 
@@ -21,6 +24,24 @@ class IndexView(TemplateView):
     template_name = "api/index.html"
 
 
+def get_auth_token(headers):
+    auth_header = headers.get("Authorization", "")
+    m = re.match(r"Bearer (?P<token>.+)", auth_header)
+    if m:
+        return m.group("token")
+    return None
+
+
+def should_hide_votes(request, election):
+    if election.voting_has_started() and not election.voting_has_stopped():
+        if not settings.API_TOKEN:
+            return True
+        if get_auth_token(request.headers) == settings.API_TOKEN:
+            return False
+        return True
+    return False
+
+
 def election_as_dict(election):
     voting_start_at = (
         election.voting_start_at.replace(tzinfo=pytz.UTC)
@@ -74,7 +95,10 @@ class UserElectionsView(JsonView):
         elections = []
         for voter in qs:
             election = election_as_dict(voter.election)
-            election["user_has_voted"] = voter.vote_hash is not None
+            if should_hide_votes(request, voter.election):
+                election["user_has_voted"] = False
+            else:
+                election["user_has_voted"] = voter.vote_hash is not None
             elections.append(election)
 
         return {"username": username, "elections": elections}
@@ -90,14 +114,18 @@ class ElectionVotersView(JsonView):
         result = election_as_dict(election)
         result["voters"] = []
 
+        hide_votes = should_hide_votes(request, election)
+
         voters = (
             election.voter_set.all()
             .values_list("user__user_id", "vote_hash")
             .order_by("user__user_id")
         )
         for user_id, vote_hash in voters:
-            result["voters"].append(
-                {"username": user_id, "has_voted": vote_hash is not None}
-            )
+            if hide_votes:
+                has_voted = False
+            else:
+                has_voted = vote_hash is not None
+            result["voters"].append({"username": user_id, "has_voted": has_voted})
 
         return result

helios/templates/voters_list.html

@@ -143,7 +143,7 @@ Voliči {{voters_page.start_index}} - {{voters_page.end_index}} (z {{total_voter
 {% if election.use_voter_aliases %}
 <td>{{voter.alias}}</td>
 {% endif %}
-<td><tt style="font-size: 1.4em;">{% if voter.vote_hash %}{{voter.vote_hash}} <span style="font-size:0.8em;"><!-- no link for now --></span>{% else %}&mdash;{% endif %}</tt></td>
+<td><tt style="font-size: 1.4em;">{% if voter.vote_hash %}{% if not election.voting_has_stopped and voter.user != user %}&mdash;{% else %}{{voter.vote_hash}}{% endif %}{% else %}&mdash;{% endif %}</tt></td>
 </tr>
 {% endfor %}
 </table>

helios/views.py

@@ -1222,6 +1222,7 @@ def voters_list_pretty(request, election):
                          {'election': election, 'voters_page': voters_page,
                           'voters': voters_page.object_list, 'admin_p': admin_p, 
                           'email_voters': VOTERS_EMAIL,
+                          'user': get_user(request),
                           'limit': limit, 'total_voters': total_voters,
                           'upload_p': VOTERS_UPLOAD, 'q' : q,
                           'voter_files': voter_files,

settings.py

@@ -314,6 +314,8 @@ PIRATI_CLIENT_SECRET = get_from_env('PIRATI_CLIENT_SECRET', '')
 OCTOPUS_API_URL = get_from_env('OCTOPUS_API_URL', '')
 OCTOPUS_API_TOKEN = get_from_env('OCTOPUS_API_TOKEN', '')
 
+API_TOKEN = get_from_env('API_TOKEN', '')
+
 if DEBUG:
     EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'