From 131633d3696321886d72bc936867492069abff76 Mon Sep 17 00:00:00 2001
From: Eric Malm <emalm@vmware.com>
Date: Tue, 20 Jun 2023 14:54:51 -0700
Subject: [PATCH] Scope requests to view and edit vote record to only the
 specified election (#90)

The controllers to view and to edit a voter's submission in an election now
search for that vote record within the scope of the ID of the election.

Otherwise, the controller will find the first vote that user submitted
for any election in the system and attempt to decrypt that vote using
the supplied password.
---
 elekto/controllers/elections.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elekto/controllers/elections.py b/elekto/controllers/elections.py
index dcfd69a..77c4ff7 100644
--- a/elekto/controllers/elections.py
+++ b/elekto/controllers/elections.py
@@ -149,7 +149,7 @@ def elections_view(eid):
     election = meta.Election(eid)
     voters = election.voters()
     e = SESSION.query(Election).filter_by(key=eid).first()
-    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id).first()
+    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id,election_id=e.id).first()
 
     passcode = F.request.form["password"]
 
@@ -175,7 +175,7 @@ def elections_view(eid):
 def elections_edit(eid):
     election = meta.Election(eid)
     e = SESSION.query(Election).filter_by(key=eid).first()
-    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id).first()
+    voter = SESSION.query(Voter).filter_by(user_id=F.g.user.id,election_id=e.id).first()
 
     passcode = F.request.form["password"]