From 6a243e90dbf08c3a9db8f757c11471661d18bcc1 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Mon, 7 Mar 2022 23:23:49 -0800
Subject: [PATCH] fix: only reject addvote for users with running proposals

This was incorrectly indiscriminately targetting _any_ proposal
for a particular user.

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/routers/trusted_user.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/aurweb/routers/trusted_user.py b/aurweb/routers/trusted_user.py
index 53bcecb7..cbe3e47d 100644
--- a/aurweb/routers/trusted_user.py
+++ b/aurweb/routers/trusted_user.py
@@ -274,8 +274,10 @@ async def trusted_user_addvote_post(request: Request,
             context["error"] = "Username does not exist."
             return render_addvote(context, HTTPStatus.NOT_FOUND)
 
+        utcnow = time.utcnow()
         voteinfo = db.query(models.TUVoteInfo).filter(
-            models.TUVoteInfo.User == user).count()
+            and_(models.TUVoteInfo.User == user,
+                 models.TUVoteInfo.End > utcnow)).count()
         if voteinfo:
             _ = l10n.get_translator_for_request(request)
             context["error"] = _(