From 03c5533cf0ad1110da43ac0d280974bdf0d5d061 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Thu, 28 Aug 2025 12:35:00 +0200 Subject: [PATCH] Don't allow users who voted in a booth to vote via web For the longest time, we've disabled the buttons to vote via web when people had already voted in a booth. However, we were still allowing HTTP requests to the actions to vote via web. So we're adding a condition to prevent it. The reason why we're changing the controller instead of the abilities model (which is what we usually do) is that there might be side-effects to the change. For instance, in the `Polls::PollComponent` class, there's an `elsif cannot?(:answer, poll)` condition which would have a different behavior if we changed the abilities model. --- app/controllers/polls_controller.rb | 2 ++ spec/controllers/polls_controller_spec.rb | 13 +++++++++++++ 2 files changed, 15 insertions(+) diff --git a/app/controllers/polls_controller.rb b/app/controllers/polls_controller.rb index d09e15812..cf114b08d 100644 --- a/app/controllers/polls_controller.rb +++ b/app/controllers/polls_controller.rb @@ -23,6 +23,8 @@ class PollsController < ApplicationController end def answer + raise CanCan::AccessDenied if @poll.voted_in_booth?(current_user) + @web_vote = Poll::WebVote.new(@poll, current_user) if @web_vote.update(answer_params) diff --git a/spec/controllers/polls_controller_spec.rb b/spec/controllers/polls_controller_spec.rb index 6a0a03c2e..b8b7f8256 100644 --- a/spec/controllers/polls_controller_spec.rb +++ b/spec/controllers/polls_controller_spec.rb @@ -28,5 +28,18 @@ describe PollsController do expect(Poll::Answer.count).to eq 1 end + + it "denies access when users have already voted in a booth" do + poll = create(:poll) + user = create(:user, :level_two) + create(:poll_voter, :from_booth, poll: poll, user: user) + + sign_in(user) + + post :answer, params: { id: poll.id, web_vote: {}} + + expect(response).to redirect_to "/" + expect(flash[:alert]).to eq "You do not have permission to access this page." + end end end