Page MenuHomePhabricator

[Bug] Block access to election edit page after election end
Closed, ResolvedPublic2 Estimated Story PointsBUG REPORT

Description

Current behavior

Currently SecurePoll allows election admins to be able to make changes to an election they are admin for by modifying the URL (/edit/<election-id>). They are able to save changes to an election by doing this after the election ends, including changing the election start date.

This is problematic because it can falsify data for scrutineers who analyze election activity. The expectation is that no changes can be made to an election after the end of an election.

Expected behavior

After election end, the election edit page becomes inaccessible and no changes can be made to the election settings.

Event Timeline

Niharika triaged this task as Medium priority.Feb 26 2021, 8:23 PM
Niharika created this task.
Niharika changed the subtype of this task from "Task" to "Bug Report".Feb 26 2021, 8:24 PM

Change 668235 had a related patch set uploaded (by STran; owner: STran):
[mediawiki/extensions/SecurePoll@master] Disallow access to settings for finished polls

https://gerrit.wikimedia.org/r/668235

Change 668235 merged by jenkins-bot:
[mediawiki/extensions/SecurePoll@master] Disallow access to settings for finished polls

https://gerrit.wikimedia.org/r/668235

dom_walden added a subscriber: dom_walden.

If it is after the end date of the election, if you try to go to Special:SecurePoll/edit/<id> you see

This election has finished and you can no longer edit it.

Test Environment: https://vote.wikimedia.beta.wmflabs.org SecurePoll 2.0.0 (67fe30f) 07:56, 5 March 2021.