From 80c0efa2d9c959d944ac756807f9c4726f0f5b72 Mon Sep 17 00:00:00 2001
From: "Bradley M. Kuhn" <bkuhn@ebb.org>
Date: Sun, 9 Feb 2014 17:24:32 -0500
Subject: [PATCH] Create a verification page, so that voters can see how they
 voted online before the election actually ends.

---
 vote/Makefile.am              |  1 +
 vote/include/election-sql.php | 18 ++++++++
 vote/verify.wml               | 81 +++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 vote/verify.wml

diff --git a/vote/Makefile.am b/vote/Makefile.am
index e33c403..71bb8ef 100644
--- a/vote/Makefile.am
+++ b/vote/Makefile.am
@@ -8,6 +8,7 @@ page_SCRIPTS = \
         results.php	\
         votes.php	\
 	vote.php	\
+	verify.php	\
 	overview.html	\
 	blt.php
 
diff --git a/vote/include/election-sql.php b/vote/include/election-sql.php
index a7336a1..a3d6629 100644
--- a/vote/include/election-sql.php
+++ b/vote/include/election-sql.php
@@ -150,6 +150,24 @@ function elec_verify_email_tmp_token ($handle, $election_id, $email, $tmp_token)
   return (mysql_result ($result, 0, 0) == 1);
 }
 
+function elec_verify_voted_token ($handle, $verify_token) {
+  global $anon_tokens_table;
+
+  if ($handle === FALSE)
+    return FALSE;
+
+  $escaped_verify_token = mysql_real_escape_string ($verify_token, $handle);
+
+  $query = "SELECT id FROM " . $anon_tokens_table;
+  $query .= " WHERE anon_token = '". $escaped_verify_token."'";
+
+  $result = mysql_query ($query, $handle);
+  if (!$result)
+    return 0;
+
+  return mysql_result ($result, 0, 0);
+}
+
 function elec_choices_get ($handle, $election_id) {
   global $choices_table;
 
diff --git a/vote/verify.wml b/vote/verify.wml
new file mode 100644
index 0000000..a9be761
--- /dev/null
+++ b/vote/verify.wml
@@ -0,0 +1,81 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+  <head>
+    <link rel="stylesheet" type="text/css" href="vote.css" />
+    <title>The GNOME Foundation - Vote Verification</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <link rel="stylesheet" type="text/css" href="vote.css" />
+  </head>
+
+  <body>
+
+<?php
+require_once ("include/election-sql.php");
+
+$error = "";
+
+$handle = elec_sql_open ();
+if ($handle === FALSE) {
+  $error .= "Can not open the database.<br />\n";
+  $step = 0;
+}
+
+$verify_token = "";
+
+if (($_POST["verify_token"])) {
+  $verify_token = $_POST["verify_token"];
+}
+$anon_token_id = elec_verify_voted_token ($handle, $verify_token);
+
+if ($verify_token && $anon_token_id > 0) {
+  $error .= "The vote verification token provided does not appear in the votes database.  Please check that you entered it correctly.<br />\n";
+}
+if (!$verify_token || $error) {
+  echo "<h2>Verify your ballot</h2>\n";
+  echo "<p>Please enter your ballot verification token.</p>\n";
+  echo "<form action=\"".htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES)."\" method=\"post\"";
+  echo "<div class=\"votedata\">\n";
+  echo "<p><label for=\"verify_token\">Verification Token: </label><input type=\"text\" name=\"verify_token\" value=\"".htmlspecialchars ($verify_token)."\" /></p>\n";
+  echo "</div>\n";
+  echo "  <input type=\"submit\" value=\"Submit\" />\n";
+  echo "</form>\n";
+} else {
+    $votes = elec_get_votes_for_anon_token ($handle, $anon_token_id);
+    echo "<tr class=\"".$class."\">\n";
+    echo "<td><span class=\"token\">".htmlspecialchars($verify_token)."</span></td>\n";
+    echo "<td>";
+    if ($votes === FALSE) {
+      echo "Can not access votes<br />for this anonymous token.";
+      $error .= "Can not get votes for anonymous token ".htmlspecialchars($anon_token["anon_token"])."<br />\n";
+    } else if (count ($votes) == 0) {
+      echo "This voter chose to vote for<br />none of the possible choices.";
+    } else {
+      echo "<ol>";
+      foreach ($votes as $vote) {
+        if (array_key_exists ($vote["choice_id"], $choices_name))
+          echo "<li><em>".htmlspecialchars($votes["preference"])." ".htmlspecialchars($choices_name[$vote["choice_id"]])."</em></li>\n";
+        else {
+          echo "<li><em>Unknown value (".htmlspecialchars($vote["choice_id"]).")</em></li>\n";
+          $error .= "There was an unkown vote for anonymous token ".htmlspecialchars($anon_token["anon_token"]).": ".htmlspecialchars($vote["choice_id"])."<br />\n";
+        }
+      }
+      echo "</ol>";
+    }
+
+    echo "</td>\n";
+
+    echo "</tr>\n";
+  echo "</table>\n";
+}
+global $committee_name;
+global $committee_email;
+
+if (isset ($error) && $error != "") {
+  echo "<div class=\"error\">".$error."</div>\n";;
+  echo "<p>If you don't understand the error, you should probably contact the $committee_name, which can be reached at <a href=\"mailto:$committee_email\">$committee_email</a>.</p>\n";
+}
+
+if (isset ($handle))
+  elec_sql_close ($handle);
+
+?>