Commit 863722fd authored by Julien Rabier's avatar Julien Rabier

[PATCH] by julm - fix missing check that choice belongs to current vote

parent d7497ce7
......@@ -467,15 +467,17 @@ def vote(idvote):
if vote is None:
abort(404)
if can_see_vote(idvote, get_userid()):
choices = query_db('select name, id from choices where id_vote=?', [idvote])
if request.method == 'POST':
if can_vote(idvote, get_userid()):
if vote['is_multiplechoice'] == 0:
if query_db('select * from choices where id = ?', [request.form['choice']], one=True) is not None:
g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
[session.get('user').get('id'), request.form['choice']])
choice = request.form['choice']
if choice in [str(c['id']) for c in choices] \
and query_db('select * from choices where id = ?', [choice], one=True) is not None:
g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
[session.get('user').get('id'), request.form['choice']])
g.db.commit()
else:
choices = query_db('select name, id from choices where id_vote=?', [idvote])
for choice in choices:
if str(choice['id']) in request.form.keys():
g.db.execute('insert into user_choice (id_user, id_choice) values (?, ?)',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment