Describe the bug
When creating a nomination, NominationCreate.get_form_class() raises 404 if the election's nomination window isn't open. But NominationEdit and NominationAccept don't do that check. Their test_func() only verifies that the user is the nominator (or nominee), so the edit and accept endpoints keep working after nominations close. The nominator can also keep editing a nomination once it has been accepted or approved, which editable() is supposed to block even while nominations are still open.
The model already has the right rule in Nomination.editable(), and the templates use it to hide the Edit button, but nothing enforces it on the view side. So someone could change their published nomination statement (or flip the accepted flag) after the deadline. (file under: who would even do this?!)
Not urgent since it only matters during an election and the people involved would likely notice, but the views should be consistent with the create view and the model.
File locations (as of commit 5d5338f):
- nominations/views.py:151 - NominationEdit.test_func() only checks ownership
- nominations/views.py:181 - NominationAccept.test_func() same
- nominations/views.py:102 - NominationCreate.get_form_class() does check the window
- nominations/models.py:221 - Nomination.editable() has the intended logic
Fix is probably just to have the two test_func() methods also require the window to be open, ideally by reusing Nomination.editable() instead of duplicating the ownership check.
(found using Claude Security... but I decided this is merely a bug given the threat model here... -G)
Is this the desired state of editable or not? the template text today implies it:
{% if nomination.election.nominations_open %}
<i>It is no longer editable as it has been accepted.</i>
{% else %}
<i>It is no longer editable as nominations are closed.</i>
{% endif %}
To Reproduce
see above
Expected behavior
editing is closed
URL to the issue
No response
Screenshots
Browsers
Other
Operating System
Other
Browser Version
n/a
Relevant log output
Additional context
No response
Describe the bug
When creating a nomination, NominationCreate.get_form_class() raises 404 if the election's nomination window isn't open. But NominationEdit and NominationAccept don't do that check. Their test_func() only verifies that the user is the nominator (or nominee), so the edit and accept endpoints keep working after nominations close. The nominator can also keep editing a nomination once it has been accepted or approved, which editable() is supposed to block even while nominations are still open.
The model already has the right rule in Nomination.editable(), and the templates use it to hide the Edit button, but nothing enforces it on the view side. So someone could change their published nomination statement (or flip the accepted flag) after the deadline. (file under: who would even do this?!)
Not urgent since it only matters during an election and the people involved would likely notice, but the views should be consistent with the create view and the model.
File locations (as of commit 5d5338f):
Fix is probably just to have the two test_func() methods also require the window to be open, ideally by reusing Nomination.editable() instead of duplicating the ownership check.
(found using Claude Security... but I decided this is merely a bug given the threat model here... -G)
Is this the desired state of editable or not? the template text today implies it:
To Reproduce
see above
Expected behavior
editing is closed
URL to the issue
No response
Screenshots
Browsers
Other
Operating System
Other
Browser Version
n/a
Relevant log output
Additional context
No response