Do not allow adding votes to expired polls (#10214)

* Do not allow adding votes to expired polls * Only validate expires_at on create
2019-03-08 00:54:50 +01:00
parent 054bbb3da2
commit 3aaac4f134
4 changed files with 26 additions and 1 deletions
--- a/app/lib/activitypub/activity/create.rb
+++ b/app/lib/activitypub/activity/create.rb
@@ -241,6 +241,7 @@ class ActivityPub::Activity::Create < ActivityPub::Activity

  def poll_vote?
    return false if replied_to_status.nil? || replied_to_status.poll.nil? || !replied_to_status.local? || !replied_to_status.poll.options.include?(@object['name'])
+    return true if replied_to_status.poll.expired?
    replied_to_status.poll.votes.create!(account: @account, choice: replied_to_status.poll.options.index(@object['name']), uri: @object['id'])
  end

--- a/app/models/poll.rb
+++ b/app/models/poll.rb
@@ -28,7 +28,7 @@ class Poll < ApplicationRecord

  validates :options, presence: true
  validates :expires_at, presence: true, if: :local?
-  validates_with PollValidator, if: :local?
+  validates_with PollValidator, on: :create, if: :local?

  scope :attached, -> { where.not(status_id: nil) }
  scope :unattached, -> { where(status_id: nil) }
--- a/app/services/vote_service.rb
+++ b/app/services/vote_service.rb
@@ -11,6 +11,8 @@ class VoteService < BaseService
    @choices = choices
    @votes   = []

+    return if @poll.expired?
+
    ApplicationRecord.transaction do
      @choices.each do |choice|
        @votes << @poll.votes.create!(account: @account, choice: choice)
--- a/spec/lib/activitypub/activity/create_spec.rb
+++ b/spec/lib/activitypub/activity/create_spec.rb
@@ -482,6 +482,28 @@ RSpec.describe ActivityPub::Activity::Create do
          expect(poll.reload.cached_tallies).to eq [1, 0]
        end
      end
+
+      context 'when a vote to an expired local poll' do
+        let(:poll) do
+          poll = Fabricate.build(:poll, options: %w(Yellow Blue), expires_at: 1.day.ago)
+          poll.save(validate: false)
+          poll
+        end
+        let!(:local_status) { Fabricate(:status, owned_poll: poll) }
+
+        let(:object_json) do
+          {
+            id: [ActivityPub::TagManager.instance.uri_for(sender), '#bar'].join,
+            type: 'Note',
+            name: 'Yellow',
+            inReplyTo: ActivityPub::TagManager.instance.uri_for(local_status)
+          }
+        end
+
+        it 'does not add a vote to the poll' do
+          expect(poll.votes.first).to be_nil
+        end
+      end
    end

    context 'when sender is followed by local users' do