From 0d15b15c70b725e508c1e94a4c7ea0bb5cd289a5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Bedna=C5=99=C3=ADk?= <jan.bednarik@gmail.com>
Date: Wed, 21 Feb 2024 19:39:00 +0100
Subject: [PATCH] Hide voters hashes in running election
---
api/views.py | 36 +++++++++++++++++++++++++++----
helios/templates/voters_list.html | 2 +-
helios/views.py | 1 +
settings.py | 2 ++
4 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/api/views.py b/api/views.py
index e6fc9f7..9217b31 100644
--- a/api/views.py
+++ b/api/views.py
@@ -1,4 +1,7 @@
+import re
+
import pytz
+from django.conf import settings
from django.http import JsonResponse
from django.views.generic import TemplateView, View
@@ -21,6 +24,24 @@ class IndexView(TemplateView):
template_name = "api/index.html"
+def get_auth_token(headers):
+ auth_header = headers.get("Authorization", "")
+ m = re.match(r"Bearer (?P<token>.+)", auth_header)
+ if m:
+ return m.group("token")
+ return None
+
+
+def should_hide_votes(request, election):
+ if election.voting_has_started() and not election.voting_has_stopped():
+ if not settings.API_TOKEN:
+ return True
+ if get_auth_token(request.headers) == settings.API_TOKEN:
+ return False
+ return True
+ return False
+
+
def election_as_dict(election):
voting_start_at = (
election.voting_start_at.replace(tzinfo=pytz.UTC)
@@ -74,7 +95,10 @@ class UserElectionsView(JsonView):
elections = []
for voter in qs:
election = election_as_dict(voter.election)
- election["user_has_voted"] = voter.vote_hash is not None
+ if should_hide_votes(request, voter.election):
+ election["user_has_voted"] = False
+ else:
+ election["user_has_voted"] = voter.vote_hash is not None
elections.append(election)
return {"username": username, "elections": elections}
@@ -90,14 +114,18 @@ class ElectionVotersView(JsonView):
result = election_as_dict(election)
result["voters"] = []
+ hide_votes = should_hide_votes(request, election)
+
voters = (
election.voter_set.all()
.values_list("user__user_id", "vote_hash")
.order_by("user__user_id")
)
for user_id, vote_hash in voters:
- result["voters"].append(
- {"username": user_id, "has_voted": vote_hash is not None}
- )
+ if hide_votes:
+ has_voted = False
+ else:
+ has_voted = vote_hash is not None
+ result["voters"].append({"username": user_id, "has_voted": has_voted})
return result
diff --git a/helios/templates/voters_list.html b/helios/templates/voters_list.html
index 655ccd6..b006c9d 100644
--- a/helios/templates/voters_list.html
+++ b/helios/templates/voters_list.html
@@ -143,7 +143,7 @@ VoliÄŤi {{voters_page.start_index}} - {{voters_page.end_index}} (z {{total_voter
{% if election.use_voter_aliases %}
<td>{{voter.alias}}</td>
{% endif %}
-<td><tt style="font-size: 1.4em;">{% if voter.vote_hash %}{{voter.vote_hash}} <span style="font-size:0.8em;"><!-- no link for now --></span>{% else %}—{% endif %}</tt></td>
+<td><tt style="font-size: 1.4em;">{% if voter.vote_hash %}{% if not election.voting_has_stopped and voter.user != user %}—{% else %}{{voter.vote_hash}}{% endif %}{% else %}—{% endif %}</tt></td>
</tr>
{% endfor %}
</table>
diff --git a/helios/views.py b/helios/views.py
index 57e46e4..96133d5 100644
--- a/helios/views.py
+++ b/helios/views.py
@@ -1222,6 +1222,7 @@ def voters_list_pretty(request, election):
{'election': election, 'voters_page': voters_page,
'voters': voters_page.object_list, 'admin_p': admin_p,
'email_voters': VOTERS_EMAIL,
+ 'user': get_user(request),
'limit': limit, 'total_voters': total_voters,
'upload_p': VOTERS_UPLOAD, 'q' : q,
'voter_files': voter_files,
diff --git a/settings.py b/settings.py
index 8b25fc2..85fe572 100644
--- a/settings.py
+++ b/settings.py
@@ -314,6 +314,8 @@ PIRATI_CLIENT_SECRET = get_from_env('PIRATI_CLIENT_SECRET', '')
OCTOPUS_API_URL = get_from_env('OCTOPUS_API_URL', '')
OCTOPUS_API_TOKEN = get_from_env('OCTOPUS_API_TOKEN', '')
+API_TOKEN = get_from_env('API_TOKEN', '')
+
if DEBUG:
EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
--
GitLab