helios-server icon indicating copy to clipboard operation
helios-server copied to clipboard
verified publisher icon benadida

Password-users are not allowed to participate in open-registration elections

Open crazyscientist opened this issue 2 years ago • 1 comments

Problem

If the option "Anyone can vote" is chosen for an election, nobody can cast a vote.

Steps to reproduce

  1. Install the Django project in a VirtualEnv and apply migrations
  2. Set env. variables AUTH_ENABLED_SYSTEMS and AUTH_DEFAULT_SYSTEM to "password"
  3. Start server
  4. Create an election with a few questions/answers
  5. In the "Voters and Ballot Tracking Center" choose "Anyone can vote"
  6. Freeze the election
  7. Try to cast the vote

At the final step of the vote casting process the voter is asked for their "voter ID" and password.

However, the responsible view only tries to match the provided credentials against the voter list, which was not created, because its an open election.

crazyscientist avatar Jan 31 '23 15:01 crazyscientist

It seems to be a design choice, that users, which are not authenticated via a 3rd party service (e.g. Google, GitHub, ..., i.e. users with password stored in the DB (see #371)), are not allowed to participate in open-registration elections.

This is prohibited by the function _check_eligibility in helios/views.py

crazyscientist avatar Feb 02 '23 10:02 crazyscientist