Some permissions fixs and security for atomic vote

election/models.py

@@ -128,7 +128,7 @@ class Candidature(models.Model):
     election_list = models.ForeignKey(ElectionList, related_name='candidatures', verbose_name=_('election list'))
 
     def can_be_edited_by(self, user):
-        return (user == self.user)
+        return (user == self.user) or user.can_edit(self.role.election)
 
     def __str__(self):
         return "%s : %s" % (self.role.title, self.user.username)

election/templates/election/candidate_form.jinja

@@ -5,7 +5,7 @@
 {% endblock %}
 
 {% block content %}
-    {%- if election.can_candidate(user) or user.can_edit(election) %}
+    {%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
     <section class="election__add-candidature">
         <form action="{{ url('election:candidate', election_id=election.id) }}" method="post">
             {% csrf_token %}

election/templates/election/election_detail.jinja

@@ -359,7 +359,7 @@ th {
     </section>
     {%- endif %}
     <section class="election__add-elements">
-    {%- if election.can_candidate(user) or user.can_edit(election) %}
+    {%- if (election.can_candidate(user) and election.is_candidature_active) or (user.can_edit(election) and election.is_vote_editable) %}
         <a href="{{ url('election:candidate', election_id=object.id) }}">{% trans %}Candidate{% endtrans %}</a>
     {%- endif %}
         <a href="{{ url('election:create_list', election_id=object.id) }}">{% trans %}Add a new list{% endtrans %}</a>

election/views.py

@@ -5,6 +5,7 @@ from django.core.urlresolvers import reverse_lazy, reverse
 from django.utils.translation import ugettext_lazy as _
 from django.forms.models import modelform_factory
 from django.core.exceptions import PermissionDenied, ObjectDoesNotExist, ImproperlyConfigured
+from django.db import DataError, transaction
 from django.forms import CheckboxSelectMultiple
 from django.utils import timezone
 from django.conf import settings
@@ -173,20 +174,21 @@ class VoteFormView(CanCreateMixin, FormView):
         return super(VoteFormView, self).dispatch(request, *arg, **kwargs)
 
     def vote(self, election_data):
-        for role_title in election_data.keys():
-            # If we have a multiple choice field
-            if isinstance(election_data[role_title], QuerySet):
-                if election_data[role_title].count() > 0:
-                    vote = Vote(role=election_data[role_title].first().role)
+        with transaction.atomic():
+            for role_title in election_data.keys():
+                # If we have a multiple choice field
+                if isinstance(election_data[role_title], QuerySet):
+                    if election_data[role_title].count() > 0:
+                        vote = Vote(role=election_data[role_title].first().role)
+                        vote.save()
+                    for el in election_data[role_title]:
+                        vote.candidature.add(el)
+                # If we have a single choice
+                elif election_data[role_title] is not None:
+                    vote = Vote(role=election_data[role_title].role)
                     vote.save()
-                for el in election_data[role_title]:
-                    vote.candidature.add(el)
-            # If we have a single choice
-            elif election_data[role_title] is not None:
-                vote = Vote(role=election_data[role_title].role)
-                vote.save()
-                vote.candidature.add(election_data[role_title])
-        self.election.voters.add(self.request.user)
+                    vote.candidature.add(election_data[role_title])
+            self.election.voters.add(self.request.user)
 
     def get_form_kwargs(self):
         kwargs = super(VoteFormView, self).get_form_kwargs()
@@ -366,6 +368,22 @@ class ElectionUpdateView(CanEditMixin, UpdateView):
     template_name = 'core/edit.jinja'
     pk_url_kwarg = 'election_id'
 
+    def get_initial(self):
+        init = {}
+        try:
+            init['start_date'] = self.object.start_date.strftime('%Y-%m-%d %H:%M:%S')
+        except:pass
+        try:
+            init['end_date'] = self.object.end_date.strftime('%Y-%m-%d %H:%M:%S')
+        except:pass
+        try:
+            init['start_candidature'] = self.object.start_candidature.strftime('%Y-%m-%d %H:%M:%S')
+        except:pass
+        try:
+            init['end_candidature'] = self.object.end_candidature.strftime('%Y-%m-%d %H:%M:%S')
+        except:pass
+        return init
+
     def get_success_url(self, **kwargs):
         return reverse_lazy('election:detail', kwargs={'election_id': self.object.id})