Don't allow users who voted in a booth to vote via web

For the longest time, we've disabled the buttons to vote via web when people had already voted in a booth. However, we were still allowing HTTP requests to the actions to vote via web. So we're adding a condition to prevent it. The reason why we're changing the controller instead of the abilities model (which is what we usually do) is that there might be side-effects to the change. For instance, in the `Polls::PollComponent` class, there's an `elsif cannot?(:answer, poll)` condition which would have a different behavior if we changed the abilities model.
2025-08-28 12:35:00 +02:00
parent b5d4a32e63
commit 03c5533cf0
2 changed files with 15 additions and 0 deletions
--- a/app/controllers/polls_controller.rb
+++ b/app/controllers/polls_controller.rb
@@ -23,6 +23,8 @@ class PollsController < ApplicationController
  end

  def answer
+    raise CanCan::AccessDenied if @poll.voted_in_booth?(current_user)
+
    @web_vote = Poll::WebVote.new(@poll, current_user)

    if @web_vote.update(answer_params)
--- a/spec/controllers/polls_controller_spec.rb
+++ b/spec/controllers/polls_controller_spec.rb
@@ -28,5 +28,18 @@ describe PollsController do

      expect(Poll::Answer.count).to eq 1
    end
+
+    it "denies access when users have already voted in a booth" do
+      poll = create(:poll)
+      user = create(:user, :level_two)
+      create(:poll_voter, :from_booth, poll: poll, user: user)
+
+      sign_in(user)
+
+      post :answer, params: { id: poll.id, web_vote: {}}
+
+      expect(response).to redirect_to "/"
+      expect(flash[:alert]).to eq "You do not have permission to access this page."
+    end
  end
 end