Find a way to limit votes to one by webid by polls

Ping @calummackervoy : could we check that one vote per user per polls exists before processing the save using a dumb pre_save signal ?

Does it exist ? Should we change the ForeignKey relationship to something else ?

This can be done by overriding the save method in the Vote model easily, but it would be cleaner to override the view, so that we can return error 400 (or 409?) to the save request?

@calummackervoy : did you have time to check that already ? I guess not :-)

Will need a fix for today, like early.

mentioned in merge request !16 (merged)

closed via merge request !16 (merged)

mentioned in commit 1ef0b356

reopened

Ping @calummackervoy : My local testing are not concluding on both cases:

• I can still vote as much as I wish, I never enter the is_safe_create method on VoteViewSet
• Getting a 403 on the OPTIONS call of the /can_vote/ route, even when the Authorization header is passed

The POST to create a vote looks as follows:

curl 'http://localhost:8000/polls/1/votes/' \
  -H 'Connection: keep-alive' \
  -H 'Pragma: no-cache' \
  -H 'Cache-Control: no-cache' \
  -H 'authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjMzYTAxOWZlYTVlNzhhYzAxNDEyMjhmOTcwOGQxNDAxIn0.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwMDAiLCJzdWIiOiJodHRwOi8vbG9jYWxob3N0OjgwMDAvdXNlcnMvYmFsZXNzYW4vIiwiYXVkIjoiOWU3NmMyNWJhZjRlNDEzN2FhZmU2N2MzYWVmMTMyODQiLCJleHAiOjE2MDY3ODk3MzIsImlhdCI6MTYwMTAyOTczMiwiYXV0aF90aW1lIjoxNjAxMDI5NjIzLCJub25jZSI6IktfeVliaGlpaktOQXZDYU9IcjNZNkUweGNkazJkanh1SU00aEloUUZDdm8iLCJhdF9oYXNoIjoiaG56cU15Tk54WndGVW9Nclppcm53dyJ9.B6zhN_TaOmEidOWumB5-aoyYzTp4dXN7W5t9FzifP7CAqjpXy2qPESiIShfrLfCbvZDLbiXd2gupWNm6SaKNvI6ZxuSVYRKfXBKLpzBoSJIeNhUK6tmt_gkFXiWY5hTyCkq-BtyZb_u0oKFSM13Jayid43At-mZhajlc--pVK5ODdW53mwuSbTCTbVSi2vNWr1ENjDfZb8EI-RffIkrgUG6WyO6y6yIHmjV-q0mlk15zAeOkyEKukKSA94OjrmE1Op1uwA6XG0sPiM4KR_2BXEPm1UDUSlzeXHNLHalpKG_a7qujwBcXbmQow8crtADDwNDNAOtzPSaPZ1QCHxLMgQ' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36' \
  -H 'content-type: application/ld+json' \
  -H 'Accept: */*' \
  -H 'Origin: http://localhost:3000' \
  -H 'Sec-Fetch-Site: same-site' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Referer: http://localhost:3000/polls' \
  -H 'Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7' \
  -H 'Cookie: csrftoken=6DtyU8KkkOWyVmCF1eKcVZdb5q2AunjnLMi2Rz2erlyzmK4gTeoQ0XnBAQYLdFhT; sessionid=cjms8e14hpv6fd1wvgj2uzey8j0o0vvr' \
  --data-binary '{"choiceValue":"","chosenOption":{"@id":"http://localhost:8000/polloptions/2/"},"@context":{"@vocab":"http://happy-dev.fr/owl/#","rdf":"http://www.w3.org/1999/02/22-rdf-syntax-ns#","rdfs":"http://www.w3.org/2000/01/rdf-schema#","ldp":"http://www.w3.org/ns/ldp#","foaf":"http://xmlns.com/foaf/0.1/","name":"rdfs:label","acl":"http://www.w3.org/ns/auth/acl#","permissions":"acl:accessControl","mode":"acl:mode","geo":"http://www.w3.org/2003/01/geo/wgs84_pos#","lat":"geo:lat","lng":"geo:long","inbox":"http://happy-dev.fr/owl/#inbox","object":"http://happy-dev.fr/owl/#object","author":"http://happy-dev.fr/owl/#author","account":"http://happy-dev.fr/owl/#account","jabberID":"foaf:jabberID","picture":"foaf:depiction"}}' \
  --compressed

It actually looks like it never enter the is_safe_create method, still going through the djangoldp.LDPViewSet.is_safe_create (checked that using some print in the code). So always returning True.

I can't replicate the first one

Testing locally I receive 400 - Bad Request with:

[
    "You may only vote on this poll once!"
]

are you running the latest version of DjangoLDP? I updated DjangoLDP a few weeks ago to support custom view sets on nested fields, before it would be ignoring the view_set parameter in Vote.Meta

Also can't replicate the issue for http://localhost:8000/polls/1/can_vote/.. I receive 200 - OK with False in the response body

the code is written to send 403 only if the user isn't authenticated: https://git.startinblox.com/applications/etuc/djangoldp-polls/blob/884a10d37dc9a7aec24792fa0ee204a3cee0bbd4/djangoldp_polls/views.py#L15

I am actually using the up-to-date version of djangoldp from the master branch, so that I can debug. So yes, latest I would say.

Could you post a pip freeze of your environment please?

Not because I don't believe you 😉

Pip freeze won't consider symlinked packages I think ?

Here is my pip freeze:

balessan@balessan-laptop:~/workspace/hubl$ pip3 freeze
alabaster==0.7.12
apturl==0.5.2
asgiref==3.2.3
asn1crypto==0.24.0
Beaker==1.11.0
Brlapi==0.6.6
certifi==2019.11.28
cffi==1.13.2
chardet==3.0.4
Click==7.0
command-not-found==0.3
confusable-homoglyphs==3.2.0
cryptography==2.8
cupshelpers==1.0
decorator==4.4.1
defer==1.0.6
dell-recovery==0.0.0
distro-info===0.18ubuntu0.18.04.1
Django==2.2
django-countries==5.3.3
django-cuser==2017.3.16
django-debug-toolbar==1.11
django-guardian==2.3.0
django-modeltranslation==0.13
django-oidc-provider==0.6.2
django-redis==4.12.1
django-registration==3.0.1
django-rest-framework==0.1.0
django-tinymce==3.0.2
django-webidoidc-provider==0.1.1
djangoldp==1.1.0
djangoldp-account==1.1.3
djangoldp-circle==1.0.0
djangoldp-conversation==1.0.0
djangoldp-dashboard==1.0.0
djangoldp-event==1.0.0
djangoldp-joboffer==0.1.2
djangoldp-like==0.0.2
djangoldp-notification==1.0.1
djangoldp-polls==1.0.2
djangoldp-profile==1.0.0
djangoldp-project==1.0.1
djangoldp-resource==1.0.0
djangoldp-skill==1.0.0
djangoldp-uploader==1.0.0
djangorestframework==3.11.0
future==0.18.2
httplib2==0.9.2
idna==2.8
keyring==10.6.0
keyrings.alt==3.0
language-selector==0.1
launchpadlib==1.10.6
lazr.restfulclient==0.13.5
lazr.uri==1.0.3
louis==3.5.0
macaroonbakery==1.1.3
Mako==1.1.1
MarkupSafe==1.1.1
netifaces==0.10.4
oauth==1.0.1
oic==0.15.1
olefile==0.45.1
pexpect==4.2.1
Pillow==6.1.0
pipdeptree==0.13.2
progressbar==2.3
protobuf==3.0.0
pycairo==1.16.2
pycparser==2.19
pycrypto==2.6.1
pycryptodomex==3.9.6
pycups==1.9.73
pygobject==3.26.1
pyjwkest==1.4.2
PyLD==1.0.5
pymacaroons==0.13.0
PyNaCl==1.1.2
pyRFC3339==1.0
python-apt==1.6.5+ubuntu0.3
python-dateutil==2.6.1
python-debian==0.1.32
pytz==2019.3
pyxdg==0.25
PyYAML==5.3
redis==3.5.3
reportlab==3.4.0
requests==2.22.0
requests-unixsocket==0.1.5
scour==0.36
SecretStorage==2.3.1
sib-manager==0.4.15
simplejson==3.13.2
six==1.14.0
sqlparse==0.3.0
SummerPalace==0.0.0
system-service==0.3
systemd-python==234
ubuntu-drivers-common==0.0.0
ufw==0.36
unattended-upgrades==0.1
urllib3==1.25.8
usb-creator==0.3.3
validators==0.14.2
vboxapi==1.0
wadllib==1.3.2
xkit==0.0.0
zope.interface==4.3.2

I got to the bottom of this ... essentially this code which I merged into DjangoLDP supporting custom nested view sets had been removed from master

I think by Git, when mine + JB's performance testing code was merged last week

This will probably explain why your branch of DjangoLDPI18n randomly stopped working as well. I've opened an MR for this here: djangoldp-packages/djangoldp!162 (merged)

closed

reopened

It's not closed?

It is probably, still I am having a weird behaviour briefly explained here: !18 (comment 37530) and I am unsure of the source of the thing.

Leaving it open so we can check together, I'd like to show you tomorrow.

okay 👍

closed