Forgive me for hysterically setting "critical" but to my eyes this verges on a security issue...or of course maybe there's a permission setting I've missed.
I created a binary poll with write-ins. I want anonymous users to be able to submit write-in votes, but I want anonymous users NOT to be able to use the "Write-ins" Tab to Promote or Merge those votes, potentially (and probably) changing the values of other people's votes.
Imagine the following scenario. 100 people vote for "Barack Obama", 100 people vote for "Barak Obama" and 199 votes are in for "John McCain"... close race, right? Until some anonymous user comes along and merges all the misspelled Obama votes into the McCain tally, and then it's a 299 - 100 landslide. Oops.
The relevant permissions settings seem to be: "Add Write-Ins", "Administer Polls" (which is purportedly linked to the poll settings) and "Vote on Polls". The Poll setting for the individual polls that looks like it would affect this is "Allow users to cast write-in." I tested every combination of these (with the remainder of the Advanced Polls permissions UNchecked and the remainder of the individual Poll settings UNchecked).
Add Write-Ins: DENY Administer Polls: DENY Vote on Polls: ALLOW Allow Users to Cast Write-in: DENY
Result: Write-in allowed: NO Write-in tab on poll page YES
Add Write-Ins: ALLOW Administer Polls: DENY Vote on Polls: ALLOW Allow Users to Cast Write-in: DENY
Result: Write-in allowed: NO Write-in tab on poll page YES
Add Write-Ins: DENY Administer Polls: ALLOW Vote on Polls: ALLOW Allow Users to Cast Write-in: DENY
Result: Write-in allowed: NO Write-in tab on poll page YES
Add Write-Ins: ALLOW Administer Polls: ALLOW Vote on Polls: ALLOW Allow Users to Cast Write-in: DENY
Result: Write-in allowed: NO Write-in tab on poll page YES
Add Write-Ins: DENY Administer Polls: DENY Vote on Polls: ALLOW Allow Users to Cast Write-in: ALLOW
Result: Write-in allowed: NO Write-in tab on poll page YES
Add Write-Ins: ALLOW Administer Polls: DENY Vote on Polls: ALLOW Allow Users to Cast Write-in: ALLOW
Result: Write-in allowed: YES Write-in tab on poll page YES
Add Write-Ins: ALLOW Administer Polls: ALLOW Vote on Polls: ALLOW Allow Users to Cast Write-in: ALLOW
Result: Write-in allowed: YES Write-in tab on poll page YES
Add Write-Ins: ALLOW Administer Polls: DENY Vote on Polls: DENY Allow Users to Cast Write-in: ALLOW
Result: Write-in allowed: NO* Write-in tab on poll page YES
Add Write-Ins: DENY Administer Polls: DENY Vote on Polls: DENY Allow Users to Cast Write-in: DENY
Result: Write-in allowed: NO** Write-in tab on poll page YES
* with this combination, poll options appear but user is not allowed to vote, but CAN promote or merge write-in votes
** with this combination, poll options appear—including write-in—user is not allowed to vote, but CAN promote or merge write-in votes
There were a number of other combinations involving Vote on Polls DENY that I did not test. It seems clear that users cannot post when Vote on Polls is UNchecked for their role. But no combination of seemingly relevant permissions settings will hide the tab from anonymous users.
Comments
Comment #1
ChrisKennedy commentedFixed - http://drupal.org/node/373076