From 116eb4604afc52eb62a4098e0e8e391a53eb4ded Mon Sep 17 00:00:00 2001
From: Brian Wiborg <wiborg@team.snafu.de>
Date: Mon, 13 May 2024 01:27:01 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=B9=20Only=20allow=20eligible=20voters?=
 =?UTF-8?q?=20to=20vote?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 http/main.go | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/http/main.go b/http/main.go
index 74dd413..98865f7 100644
--- a/http/main.go
+++ b/http/main.go
@@ -114,6 +114,9 @@ func handleVote(ctx echo.Context) error {
   if time.Now().UTC().After(v.Deadline()) {
     return ctx.Redirect(http.StatusFound, fmt.Sprintf("/v/%s", vid))
   }
+  if !eligible(elector, v.Electors()) {
+    return ctx.String(http.StatusForbidden, "")
+  }
   if c, err = vote.ChoiceFromString(choice); err != nil {
     return err
   }
@@ -127,10 +130,26 @@ func handleVote(ctx echo.Context) error {
 func handleShowVoting(ctx echo.Context) error {
   v, err := store.GetVoting(ctx.Param("id"))
   if err != nil {
-    fmt.Println(err)
     return err
   }
+  if v.Deadline().After(time.Now().UTC()) {
+    if !eligible(ctx.Request().Header.Get("X-Remote-User"), v.Electors()) {
+      return ctx.String(http.StatusForbidden, "")
+    }
+  }
   return ctx.Render(http.StatusOK, "voting", map[string]interface{}{
     "Voting": v,
   })
 }
+
+func eligible(e string, electors []string) bool {
+  if electors == nil || len(electors) == 0 {
+    return true
+  }
+  for _, _e := range electors {
+    if strings.ToLower(_e) == strings.ToLower(e) {
+      return true
+    }
+  }
+  return false
+}