search

benadida / helios-server

Helios server
http://heliosvoting.org
Apache License 2.0
711 stars 341 forks source link

Password-users are not allowed to participate in open-registration elections #372

Open crazyscientist opened 1 year ago

crazyscientist commented 1 year ago

Problem

If the option "Anyone can vote" is chosen for an election, nobody can cast a vote.

Steps to reproduce

  1. Install the Django project in a VirtualEnv and apply migrations
  2. Set env. variables AUTH_ENABLED_SYSTEMS and AUTH_DEFAULT_SYSTEM to "password"
  3. Start server
  4. Create an election with a few questions/answers
  5. In the "Voters and Ballot Tracking Center" choose "Anyone can vote"
  6. Freeze the election
  7. Try to cast the vote

At the final step of the vote casting process the voter is asked for their "voter ID" and password.

However, the responsible view only tries to match the provided credentials against the voter list, which was not created, because its an open election.

crazyscientist commented 1 year ago

It seems to be a design choice, that users, which are not authenticated via a 3rd party service (e.g. Google, GitHub, ..., i.e. users with password stored in the DB (see #371)), are not allowed to participate in open-registration elections.

This is prohibited by the function _check_eligibility in helios/views.py