reserved username can be used in public poll

[vieta-123]

to dos

• Optimize backend check
• investigate in ignoring :disabled
• Change handling of not usable usernames

What is going wrong?

Change results of other external users, when you should not be allowed to

To Reproduce
Steps to reproduce the behavior:

1. Create a new poll
2. Create an external link
3. Open this external link in Browser A and participate as UserA
4. Open this external link in Browser B and try to participate as UserA
5. The "OK" button is greyed out as the user already participated in the poll
6. Hit the enter Key on your Keyboard and you are now allowed to edit the input of UserA

Expected behavior
You should not be able to chose/edit the input of another user.

Screenshots

Information about your polls installation

Polls version? (see apps page)
1.3.0

Fresh installation or update from a prior version (from which one)?
Fresh install

How did you install this version?(Appstore or describe installation)
Nextcloud Appstore

Information about your Instance of Nextcloud/ownCloud

Nextcloud or ownCloud?
Nextcloud

Nextcloud/ownCloud version: (see Nextcloud admin page)
18.0.3

List of activated apps:
too long to print

Nextcloud configuration:

no access to configuration

### Server configuration
No access to server configuation

Login as admin user into your Nextcloud and access
http://example.com/index.php/settings/integrity/failed
paste the results here.

No errors have been found.

**Are you using an external user-backend, if yes which one:** LDAP/ActiveDirectory/Webdav/...
No

### Client configuration
**Device:**
Desktop/mobile phone/ tablet/... 

**Browser:**
Firefox, Edge, Chrome

**Operating system:**
Windows

### Logs

#### Nextcloud log (data/nextcloud.log)
not available

Insert your Nextcloud log here
not available

#### Browser log
not available

[dartcafe]

[1.4.2] Additionally: :disabled is ignored

[vieta-123]

Additional findings, probably related to this: If I bybass the check three times with a user test I get three invitation links for the user in the backend.

[dartcafe]

This is a result of the first bug, because every time a personal link is created. I added a quick fix, but it needs some more work and additionally testing.

[dartcafe]

I added the fix to a new beta: https://github.com/nextcloud/polls/releases/tag/1.4.2

[Philzen]

The issue description was "You should not be able to chose/edit the input of another user." – however, i suspect #911 included a bit more than just fixing this issue:

Let's say i make a public poll for other, non-nextcloud users to participate. I have a Login "Peter" and display name "Mr. P. Parker". I login and fill out the poll, which then shows my display name. However, no "Peter" is allowed to enter themselves via the public link, even if there is no "Peter" on the poll results yet.

IMHO the check should just be for names that are already entered into the poll itself. There may be numerous other user names on the instance that may not be interested in the poll, while those login names may clash with names of people that really want to participate publicly.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.