branch feature/253-tuiles updated (f337e1e0 -> a4f6e237)
This is an automated email from the git hooks/post-receive script. New change to branch feature/253-tuiles in repository pollen. See https://gitlab.nuiton.org/chorem/pollen.git from f337e1e0 ref #253 IcĂ´le logo Pollen new a4f6e237 fix #323 : Can hack poll by sending vote edits without previous VoteToChoice ids The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Detailed log of new commits: commit a4f6e2371cbe14c62abca528f9be83d2882fee72 Author: jcouteau <couteau@codelutin.com> Date: Mon Apr 20 11:51:08 2020 +0200 fix #323 : Can hack poll by sending vote edits without previous VoteToChoice ids Summary of changes: .../pollen/services/service/VoteService.java | 15 ++++- pollen-services/src/main/resources/fixtures.yaml | 2 +- .../pollen/services/service/VoteServiceTest.java | 73 +++++++++++++++++++++- 3 files changed, 86 insertions(+), 4 deletions(-) -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.
This is an automated email from the git hooks/post-receive script. New commit to branch feature/253-tuiles in repository pollen. See https://gitlab.nuiton.org/chorem/pollen.git commit a4f6e2371cbe14c62abca528f9be83d2882fee72 Author: jcouteau <couteau@codelutin.com> Date: Mon Apr 20 11:51:08 2020 +0200 fix #323 : Can hack poll by sending vote edits without previous VoteToChoice ids --- .../pollen/services/service/VoteService.java | 15 ++++- pollen-services/src/main/resources/fixtures.yaml | 2 +- .../pollen/services/service/VoteServiceTest.java | 73 +++++++++++++++++++++- 3 files changed, 86 insertions(+), 4 deletions(-) diff --git a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java index 4b3a383d..5242f2d5 100644 --- a/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java +++ b/pollen-services/src/main/java/org/chorem/pollen/services/service/VoteService.java @@ -501,7 +501,20 @@ public class VoteService extends PollenServiceSupport { } } } else { - choicesToSave.add(createVoteToChoice(toSave, input)); + boolean edited = false; + + for (VoteToChoice voteToChoice : choicesToSave) { + if (input.getChoiceId().getEntityId().equals(voteToChoice.getChoice().getTopiaId())) { + //Found a vote for this choice, so update it + voteToChoice.setVoteValue(input.getVoteValue()); + edited = true; + } + } + + if (!edited) { + //Did not find a vote for this choice, so create it + choicesToSave.add(createVoteToChoice(toSave, input)); + } } } } else { diff --git a/pollen-services/src/main/resources/fixtures.yaml b/pollen-services/src/main/resources/fixtures.yaml index 68c3523a..f290ce9d 100644 --- a/pollen-services/src/main/resources/fixtures.yaml +++ b/pollen-services/src/main/resources/fixtures.yaml @@ -56,7 +56,7 @@ poll_normal: &normal !poll title: Sondage normal description: Sondage de type 'normal' - beginDate: 1/1/2014 + beginDate: 31/12/2013 endDate: 1/2/2014 #maxChoiceNumber: 2 anonymousVoteAllowed: false diff --git a/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java b/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java index ea8535eb..3b7b5f4e 100644 --- a/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java +++ b/pollen-services/src/test/java/org/chorem/pollen/services/service/VoteServiceTest.java @@ -21,13 +21,20 @@ package org.chorem.pollen.services.service; * #L% */ +import org.chorem.pollen.persistence.entity.Choice; import org.chorem.pollen.services.AbstractPollenServiceTest; +import org.chorem.pollen.services.bean.PaginationParameterBean; +import org.chorem.pollen.services.bean.PollBean; +import org.chorem.pollen.services.bean.VoteBean; +import org.chorem.pollen.services.bean.VoteToChoiceBean; +import org.chorem.pollen.services.bean.PollenEntityId; import org.chorem.pollen.services.test.FakePollenSecurityContext; import org.junit.Assert; import org.junit.Before; import org.junit.Test; import java.util.Date; +import java.util.List; public class VoteServiceTest extends AbstractPollenServiceTest { @@ -40,13 +47,13 @@ public class VoteServiceTest extends AbstractPollenServiceTest { service = newService(VoteService.class); - getServiceContext().setDate(new Date(1363948427576L)); - getServiceContext().setSecurityContext(new FakePollenSecurityContext()); } @Test public void testPurgeOldVotes() { + + getServiceContext().setDate(new Date(1363948427576L)); //TODO should also check that old votes are properly anonymized try { service.purgeOldVotes(); @@ -54,4 +61,66 @@ public class VoteServiceTest extends AbstractPollenServiceTest { Assert.fail("Exception should not have been thrown"); } } + + @Test + public void testEditVote() throws Exception { + PaginationParameterBean pagination = PaginationParameterBean.of(0,-1); + + login("jean@pollen.org", "fake"); + + //Get poll + PollService pollService = newService(PollService.class); + PollBean poll = pollService.getPolls(pagination,"").getElements().get(0); + String pollId = poll.getEntityId(); + String questionId = poll.getQuestions().get(0).getEntityId(); + PollenEntityId<Choice> choice1Id = poll.getQuestions().get(0).getChoices().get(0).getId(); + + //Create one vote + VoteBean vote = new VoteBean(); + VoteToChoiceBean bean1 = new VoteToChoiceBean(); + bean1.setChoiceId(choice1Id); + bean1.setVoteValue(1.0); + vote.addChoice(bean1); + vote.setVoterName("test1"); + service.addVote(pollId, questionId, vote); + + List<VoteBean> votes = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes.size()); + Assert.assertEquals("test1", votes.get(0).getVoterName()); + Assert.assertEquals(1, votes.get(0).getChoice().size()); + + //Try to edit it without setting ids, we still should have only one vote + VoteBean vote2 = new VoteBean(); + vote2.setId(votes.get(0).getId()); + VoteToChoiceBean bean2 = new VoteToChoiceBean(); + bean2.setChoiceId(choice1Id); + bean2.setVoteValue(1.0); + vote2.addChoice(bean2); + vote2.setVoterName("test2"); + vote2.setPermission(votes.get(0).getPermission()); + service.editVote(pollId, questionId, vote2); + + List<VoteBean> votes2 = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes2.size()); + Assert.assertEquals("test2", votes2.get(0).getVoterName()); + Assert.assertEquals(1, votes2.get(0).getChoice().size()); + + //Try to edit it setting ids + VoteBean vote3 = new VoteBean(); + vote3.setId(votes.get(0).getId()); + VoteToChoiceBean bean3 = new VoteToChoiceBean(); + bean3.setChoiceId(choice1Id); + bean3.setVoteValue(1.0); + Object[] beans = votes2.get(0).getChoice().toArray(); + bean3.setId(((VoteToChoiceBean)beans[0]).getId()); + vote3.addChoice(bean3); + vote3.setVoterName("test3"); + vote3.setPermission(votes.get(0).getPermission()); + service.editVote(pollId, questionId, vote3); + + List<VoteBean> votes3 = service.getVotes(pollId, questionId, pagination).getElements(); + Assert.assertEquals(1, votes3.size()); + Assert.assertEquals("test3", votes3.get(0).getVoterName()); + Assert.assertEquals(1, votes3.get(0).getChoice().size()); + } } -- To stop receiving notification emails like this one, please contact chorem.org SCM administrator <admin+scm@chorem.org>.
participants (1)
-
chorem.org scm