From c496f069e171fa130b8be1f9e3011cd1f6a1d8db Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Thu, 23 Nov 2017 10:06:18 +0100
Subject: [PATCH] add: an user with 'audit' privilleges can view all votes

---
 motion.py                    |  5 ++++-
 templates/single_motion.html | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/motion.py b/motion.py
index 783cf47..cef02ee 100644
--- a/motion.py
+++ b/motion.py
@@ -141,7 +141,10 @@ def show_motion(motion):
                          + "LEFT JOIN voter canceler ON canceler.id = motion.canceled_by "
                          + "WHERE motion.id=$1")
     rv = p(motion, g.voter)
-    return render_template('single_motion.html', motion=rv[0], may_vote=may("vote", rv[0].get("type")), may_cancel=may("cancel", rv[0].get("type")))
+    votes = None
+    if may("audit", rv[0].get("type")):
+        votes = get_db().prepare("SELECT vote.result, voter.email FROM vote INNER JOIN voter ON voter.id = vote.voter_id WHERE vote.motion_id=$1")(motion);
+    return render_template('single_motion.html', motion=rv[0], may_vote=may("vote", rv[0].get("type")), may_cancel=may("cancel", rv[0].get("type")), votes=votes)
 
 @app.route("/motion/<int:motion>/vote", methods=['POST'])
 def vote(motion):
diff --git a/templates/single_motion.html b/templates/single_motion.html
index ac4ff79..a15e397 100644
--- a/templates/single_motion.html
+++ b/templates/single_motion.html
@@ -4,6 +4,18 @@ Motion: {{motion.name}}
 {%- endblock %}
 {% block body %}
 {%- include 'motion.html' %}
+{%- if votes %}
+<div class="panel panel-info" id="votes">
+  <div class="panel-heading">
+    Motion Votes
+  </div>
+  <div class="panel-body">
+    {%- for row in votes %}
+    <div>{{row.email}}: {{row.result}}</div>
+    {%- endfor %}
+  </div>
+</div>
+{%- endif %}
 {%- if motion.running %}
 {%- if may_vote %}
 <form action="/motion/{{motion.id}}/vote" method="POST">
-- 
2.39.2