Bug Report: Voting endpoints use inconsistent authorization and reputation checks

[RounakChoudhary]

Problem

The project has multiple voting endpoints with different validation behavior.

Older vote routes check reputation before voting, while newer /upvote and /downvote routes do not enforce the same checks.

Additionally, one route attempts to call:

updateReputation()

on an ObjectId instead of a populated user document.

---

Files Involved

• server/routes/questions.js
• server/controllers/answersController.js

---

Current Behavior

• Some vote endpoints allow low-reputation users to vote
• Some routes may fail during reputation updates
• Voting behavior differs across APIs

---

Expected Behavior

All voting endpoints should:

• enforce the same authorization rules
• validate voting permissions consistently
• safely update reputation
• return consistent responses

---

Steps To Reproduce

1. Use a low-reputation account
2. Call newer /upvote or /downvote endpoints
3. Observe that voting succeeds without proper checks

---

Root Cause

Voting logic is duplicated across multiple routes/controllers and not centralized.

Some routes use populated user handling while others directly use ObjectIds.

---

Proposed Fix

• Create shared vote helper/controller logic
• Enforce req.user.canVote() consistently
• Fetch/populate content authors before reputation updates
• Optionally prevent self-voting

---

I am selected as a GSSoC contributor and would like to work on this issue. Please assign it to me.

[Divv1524]

I'm a GSSoC contributor and would love to take this issue!
My approach:

Centralize vote logic — Extract a shared voteHelper.js (or reuse the controller) to handle all upvote/downvote operations, eliminating the duplication between questions.js and answersController.js.
Consistent reputation gate — Apply a single canVote() check (minimum reputation threshold) across all vote endpoints, so newer /upvote /downvote routes behave identically to the older ones.
Fix the ObjectId bug — Before calling updateReputation(), populate the author using .populate('author') or a findById() call to ensure we're working with a full user document, not a raw ObjectId.
Consistent response format — Standardize success/error responses across all vote routes.

I'll also add self-vote prevention as a bonus.
Could you please assign this issue to me? I'll raise a PR soon.

[khat190]

Hi , I'm a GSSoC'26 contributor. I'd like to work on this issue. Please assign it to me. Thanks.