This Django bug outlines the issue fairly thoroughly: https://code.djangoproject.com/ticket/17157. In short, when you create a poll and put the embedding code it provides (<iframe src="http://localhost:8000/approval_polls/2" width="250"></iframe>) on a page on another domain, browsers that disallow third party cookies can't vote. They see a Django 403 page with the message "CSRF verification failed. Request aborted."

Both IE and Safari (including iOS) block third party cookies by default. Firefox was apparently going to start blocking all third party cookies from sites the user hasn't visited themselves - http://blog.mozilla.org/privacy/2013/02/25/firefox-getting-smarter-about-third-party-cookies/ - but in Firefox 30 the default is still to accept all cookies.

I found a few possible fixes, but nothing ideal.

It can be fixed in IE by sending a P3P header, but then "you're essentially making legally binding claims about how you handle user data".

We could disable Django's CSRF protection and check the referer header instead. This would work in (up-to-date) browsers but CSRF attacks would be easier in other applications where users can trigger HTTP requests for each other. There have also been referer-spoofing bugs in older browsers: http://seclists.org/fulldisclosure/2013/Jul/60. Although, couldn't that be worked around by checking user agents against a list of known-vulnerable browsers? There are a few other problems with this approach listed on the OWASP CSRF Cheat Sheet.

There's also a header called Origin that's designed for this case, but browser support isn't really there yet.

Another idea is to tie the CSRF token to the user's IP instead of to a cookie. For example, you could hash the IP with a secret key and use that as the token.

There are a bunch of workarounds that make pseudo-cookies at http://samy.pl/evercookie/. Using any of those would be a bit of a hack, but the ETag header looks promising.

I had a look at some other online polls to see if they had a solution but they all seemed to have no CSRF protection at all.

Django doesn't serve static files in production, so we have to configure another web server like apache and include instructions in the README.md.

See https://docs.djangoproject.com/en/1.8/howto/static-files/deployment/

This code is all-rights-reserved by legal default until you add a license. Furthermore, you have to handle all sorts of challenges when accepting code from others if the licensing isn't clear. If you have a LICENSE file here, then others who adjust the code in a repository that has the same file can at least be assumed to stick to the same license.

I would consider GNU AGPLv3+ (+ means include the "or later" clause) as the most community-centered freedom-respecting license. The only concern is that if you want to push adoption of this software by other websites which may be proprietary and where they would integrate this into their site, then you may want a more permissive license. GPLv3+ would be fine because it would be equally usable for even proprietary sites and the copyleft (i.e. share-alike / pass-on-the-freedoms) effect would only take place if someone distributes the code and not when they just use it on a site. You could slightly improve license-compatibility with GPLv2+ but that would lose the patent clauses and such. Otherwise, Apache v2 would be a decent option, or MIT to be most permissive. While I'd probably go with AGPLv3+ or maybe GPLv3+, any of these would be better than the really unacceptable state of having no license.

The administrator of a poll limits the respondents to only those with specific e-mails. Accounts not attached to the listed e-mails cannot participate in the poll. This feature should be able to be turned on or off by the poll administrator.

Approval is nice, but wouldn't score be even better?

Bonus: Configurable range (including negative numbers) by question (instead of any particular fixed ranged)

If a poll has been marked as type 2 (only registered users can vote), it would be nice to allow the user to update his/her ballot anytime before the closing date of the poll is reached (to be implemented in #15) . Currently, with this setting, the user is only allowed to enter their ballot once, after which he/she is not allowed to vote in that poll again.

Tests fail with status - FAILED (errors=10, skipped=1, expected failures=1)
The error in most cases appears to be NoReverseMatch: u'approval_polls' is not a registered namespace

This is a good issue for somebody new to the project. All you have to do is install the project and set up a poll... but you have to write it up in a blog post. This will improve both our documentation and our outreach. Also, you'll get to see the poll results on some issue that interests you!

It'd be nice to integrate social authentication that would allow users with Google/Facebook/Twitter accounts to login, (and probably vote) without requiring them to create an account on the polls application. This may be a good resource.

In the embed_instructions.html page, provide a 'Copy text' button to facilitate easy copying of the html snippet to clipboard.

The signup feature does not work.

Immediately before the options, display text "Choose as many options as you wish." This will reinforce the concept of approval voting.

Need to update README.md to add the following:

1. Style guide recommendations for the project.
2. Example of variable values in the local_settings.py

Participants, when viewing the selection options within a poll, can add an additional option by typing it in and select that option if they choose. This feature should be able to be turned on or off by the poll administrator.

Currently, if you submit a new question with blank question text, the http response is just "You have to ask a question!"; no proper html markup, no styling, no links to continue (you have to go back).

Should return a proper page instead.

This should contain easy-to-understand steps for newcomers to the project.

Would it be a good idea to import our local settings from a local_settings.py file into the main settings.py ? I find it very useful while developing (specifically the EMAIL_* related settings for registration which shouldn't be committed into settings.py)

We could do either 1 or 2 depending on what is agreeable.

1. Overwriting variables - import variables from local_settings.py into settings.py at the end which would overwrite the values. (http://stackoverflow.com/questions/4909958/django-local-settings). I prefer this since it is straightforward.
2. Extending variables - import settings into local_settings.py so that the variables in the settings file could be extended (https://gist.github.com/burnash/e60351e2696f4d17a466)

Also, adding local_settings.py to .gitignore. This way we could also switch DEBUG=True in the local_settings.py file.

Please let me know your views.

Thanks!

The user should be given the ability to change his/her password via an accounts information page (created as a part of #72)

The username at the bottom of the panel could link to the user's account information - which includes some useful statistics about the user:

1. Member since (date)
2. Last login (date)
3. Total number of polls created (and a link to them).
4. Change username and/or email.
5. Change password. (Adding this requirement to another ticket)
6. Opt in/out for newsletter subscription. (After #33 is implemented)

... and any other information that might be useful.

Allow the creator of a poll to place an external link next to an option. Perhaps it could allow the user to use markdown link syntax to start with, or add a link/button to create the external link.

Noticed that django by default (django.core.mail) waits for the email to be sent before navigating to the 'email sent' confirmation page. As a result, the application blocks for 2-3 minutes until the email is sent. Perhaps we should look into queuing the mail request or using another thread so that the user is not forced to wait on a specific page (registration, password reset) while the email is being sent. This post on stackoverflow outlines a couple of options.

Thanks!

Following the implementation of #15 , when poll closing date/times are added to a poll, create an optional countdown for whien a poll closes.

We started this project with Django 1.5. 1.7 is available now; we should upgrade and make sure everything still works.

Currently, the poll results only display the results in terms of votes and ballots, perhaps it could explicitly mention the number of people voted in the poll.

Currently the new question form is hard-coded to 8 candidate options.

Make it so you can have arbitrarily more than that.

(I'm thinking a button and a bit of javascript to add another text box.)

I am running into the following issue while running the test suite. Seems like the DetailView and ResultsView are not handling the case with the future published date for a poll.

 Creating test database for alias 'default'...
  .....F..........
 ======================================================================
 FAIL: test_detail_view_with_a_future_poll (approval_polls.tests.PollDetailTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/rupal/dev/volunteer/forks/electology/approval_frame/approval_polls/tests.py", line 106, in test_detail_view_with_a_future_poll
    self.assertEqual(response.status_code, 404)
AssertionError: 200 != 404                                                                                                                                              

----------------------------------------------------------------------                                                                                                  
Ran 17 tests in 0.958s                                                                                                                                                  

FAILED (failures=1)
Destroying test database for alias 'default'...

Currently the first step of installation as given in the README python manage.py syncdb fails. Either the README or the branch needs to be fixed.

The error is

Traceback (most recent call last):
  File "manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 385, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 354, in execute
    django.setup()
  File "/usr/local/lib/python2.7/dist-packages/django/__init__.py", line 21, in setup
    apps.populate(settings.INSTALLED_APPS)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/registry.py", line 85, in populate
    app_config = AppConfig.create(entry)
  File "/usr/local/lib/python2.7/dist-packages/django/apps/config.py", line 87, in create
    module = import_module(entry)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
ImportError: No module named registration

8 questions per page, but if any of them wrap to a second line, it scrolls in the current frame size.

(I think there's some CSS that will automatically put '...' if an item exceeds a maximum size.)

The default TIME_ZONE as set in the settings file is 'America/Los_Angeles' resulting in all dates and times being rendered in this particular timezone (irrespective of the user's timezone) . (Thanks @kushankr for pointing this out!) . Thus the dates and times displayed in the home page can be quite confusing to the user.

We would like all dates and times to be rendered in the user's timezone automatically without having the user select his/her timezone during registration. As extensively discussed in #75 we might need to use some client side Javascript library (like jstz) to help us set the app TIME_ZONE to the user's system timezone. Also, as recommended widely - setting TIME_ZONE='UTC' in settings.py. In addition, also add the appropriate timezone abbreviation (PST, IST, EST) whenever displaying datetimes.

Allow the poll to be configured to display the option with the leading number of votes in a different color.
This option could be added to the 'Poll Settings' panel while creating a new poll.

Currently this option is configurable in the poll settings panel ("Show Leading option in different color.") . Have this enabled by default.

Only the total number of ballots cast on a question and the total number of approvals of each choice are kept.

Collect the choices approved by each ballot instead.

(models.py has a starting point commented out)

Make better use of ids and classes everywhere so people can more-easily style their deployment.

We started using a new base template (currently called public_base); major identifiable difference is the CES logo being at the bottom of the screen instead of the top.

But it's being used inconsistently.

-Is there a reason we need two templates? Or can we combine them into one? (If one, let's go with the name 'base'.)

-Is there any reason we can't move the attending css in public_base in with the rest of the css?

We were working quickly; changes to graphical elements broke several tests for viewing poll results.

Currently, nothing limits anyone from voting as many times as they want on anything.

Restrict that. (Configurable by poll.) Some possibilities (implement any or all):

Just a friendly cookie: "Hey, you already voted on this."
User accounts (verify by email?)
reCaptcha
OpenAuth
Question ids just increment. How about adding a secret key to get in (equiv. to gDocs "anyone who knows the url"?)