This is an automated email from the git hooks/post-receive script. New commit to branch feature/253-tuiles in repository pollen. See https://gitlab.nuiton.org/chorem/pollen.git commit a4f6e2371cbe14c62abca528f9be83d2882fee72 Author: jcouteau <couteau@codelutin.com> Date: Mon Apr 20 11:51:08 2020 +0200 fix #323 : Can hack poll by sending vote edits without previous VoteToChoice ids --- .../pollen/services/service/VoteService.java | 15 ++++- pollen-services/src/main/resources/fixtures.yaml | 2 +- .../pollen/services/service/VoteServiceTest.java | 73 +++++++++++++++++++++- 3 files changed, 86 insertions(+), 4 deletions(-) diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java index 4b3a383d..5242f2d5 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java @@ -501,7 +501,20 @@ public class VoteService extends PollenServiceSupport { } } } else { - choicesToSave.add(createVoteToChoice(toSave, input)); + boolean edited = false; + + for (VoteToChoice voteToChoice : choicesToSave) { + if (input.getChoiceId().getEntityId().equals(voteToChoice.getChoice().getTopiaId())) { + //Found a vote for this choice, so update it + voteToChoice.setVoteValue(input.getVoteValue()); + edited = true; + } + } + + if (!edited) { + //Did not find a vote for this choice, so create it + choicesToSave.add(createVoteToChoice(toSave, input)); + } } } } else { diff --git a/pollen-services/src/main/resources/fixtures.yaml b/pollen-services/src/main/resources/fixtures.yaml index 68c3523a..f290ce9d 100644 --- a/pollen-services/src/main/resources/fixtures.yaml +++ b/pollen-services/src/main/resources/fixtures.yaml @@ -56,7 +56,7 @@ poll_normal: &normal !poll title: Sondage normal description: Sondage de type 'normal' - beginDate: 1/1/2014 + beginDate: 31/12/2013 endDate: 1/2/2014 #maxChoiceNumber: 2 anonymousVoteAllowed: false diff --git a/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java b/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java index ea8535eb..3b7b5f4e 100644 --- a/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java +++ b/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java @@ -21,13 +21,20 @@ package org.chorem.pollen.services.service; * #L% */ +import org.chorem.pollen.persistence.entity.Choice; import org.chorem.pollen.services.AbstractPollenServiceTest; +import org.chorem.pollen.services.bean.PaginationParameterBean; +import org.chorem.pollen.services.bean.PollBean; +import org.chorem.pollen.services.bean.VoteBean; +import org.chorem.pollen.services.bean.VoteToChoiceBean; +import org.chorem.pollen.services.bean.PollenEntityId; import org.chorem.pollen.services.test.FakePollenSecurityContext; import org.junit.Assert; import org.junit.Before; import org.junit.Test; import java.util.Date; +import java.util.List; public class VoteServiceTest extends AbstractPollenServiceTest { @@ -40,13 +47,13 @@ public class VoteServiceTest extends AbstractPollenServiceTest { service = newService(VoteService.class); - getServiceContext().setDate(new Date(1363948427576L)); - getServiceContext().setSecurityContext(new FakePollenSecurityContext()); } @Test public void testPurgeOldVotes() { + + getServiceContext().setDate(new Date(1363948427576L)); //TODO should also check that old votes are properly anonymized try { service.purgeOldVotes(); @@ -54,4 +61,66 @@ public class VoteServiceTest extends AbstractPollenServiceTest { Assert.fail("Exception should not have been thrown"); } } + + @Test + public void testEditVote() throws Exception { + PaginationParameterBean pagination = PaginationParameterBean.of(0,-1); + + login("jean@pollen.org", "fake"); + + //Get poll + PollService pollService = newService(PollService.class); + PollBean poll = pollService.getPolls(pagination,"").getElements().get(0); + String pollId = poll.getEntityId(); + String questionId = poll.getQuestions().get(0).getEntityId(); + PollenEntityId<Choice> choice1Id = poll.getQuestions().get(0).getChoices().get(0).getId(); + + //Create one vote + VoteBean vote = new VoteBean(); + VoteToChoiceBean bean1 = new VoteToChoiceBean(); + bean1.setChoiceId(choice1Id); + bean1.setVoteValue(1.0); + vote.addChoice(bean1); + vote.setVoterName("test1"); + service.addVote(pollId, questionId, vote); + + List<VoteBean> votes = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes.size()); + Assert.assertEquals("test1", votes.get(0).getVoterName()); + Assert.assertEquals(1, votes.get(0).getChoice().size()); + + //Try to edit it without setting ids, we still should have only one vote + VoteBean vote2 = new VoteBean(); + vote2.setId(votes.get(0).getId()); + VoteToChoiceBean bean2 = new VoteToChoiceBean(); + bean2.setChoiceId(choice1Id); + bean2.setVoteValue(1.0); + vote2.addChoice(bean2); + vote2.setVoterName("test2"); + vote2.setPermission(votes.get(0).getPermission()); + service.editVote(pollId, questionId, vote2); + + List<VoteBean> votes2 = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes2.size()); + Assert.assertEquals("test2", votes2.get(0).getVoterName()); + Assert.assertEquals(1, votes2.get(0).getChoice().size()); + + //Try to edit it setting ids + VoteBean vote3 = new VoteBean(); + vote3.setId(votes.get(0).getId()); + VoteToChoiceBean bean3 = new VoteToChoiceBean(); + bean3.setChoiceId(choice1Id); + bean3.setVoteValue(1.0); + Object[] beans = votes2.get(0).getChoice().toArray(); + bean3.setId(((VoteToChoiceBean)beans[0]).getId()); + vote3.addChoice(bean3); + vote3.setVoterName("test3"); + vote3.setPermission(votes.get(0).getPermission()); + service.editVote(pollId, questionId, vote3); + + List<VoteBean> votes3 = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes3.size()); + Assert.assertEquals("test3", votes3.get(0).getVoterName()); + Assert.assertEquals(1, votes3.get(0).getChoice().size()); + } } -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.