Vote schema has empty changeset with no validation/required fields.

[khushal-winner]

• Describe the bug
  The Vote schema defines a changeset/2 function that casts no fields and validates nothing (cast(attrs, []) + validate_required([])), providing zero input validation. However, the app never uses this changeset votes are inserted directly via %Vote{…} |> Repo.insert().

• Expected behavior
  Schema changesets should enforce required fields and proper casting/validation (e.g. cast(attrs, [:dealt_card_id, :player_id]) + validate_required([:dealt_card_id, :player_id])) to prevent invalid data, follow Ecto best practices, and protect against future misuse.

• Desktop (please complete the following information):
  OS: N/A (server-side schema / code quality issue)
  Browser: N/A (server-side schema / code quality issue)
  Version: N/A (server-side schema / code quality issue)

• Additional context
  Not currently exploitable DB foreign-key constraints + direct struct insertion prevent bad data today. Still poor practice / technical debt: empty changeset violates Ecto conventions and creates risk if anyone later starts using Vote.changeset/2 (e.g. API, admin form, bulk insert). Fix recommended for maintainability and defense-in-depth.

[Suresh-Krishna-P]

Hello @khushal-winner,
The changeset function currently casts no fields and validates nothing, which violates Ecto best practices and creates inconsistency with other schemas in the codebase that properly implement field casting and validation. While the application currently avoids problems by directly inserting structs rather than using the changeset, this represents a maintenance risk and future vulnerability - if anyone ever starts using Vote.changeset/2 for API endpoints, admin forms, or bulk operations, invalid data could slip through. The fix is straightforward: update the changeset to cast [:dealt_card_id, :player_id] and validate these required foreign key fields, bringing it in line with the ContinueVote and Player schemas. This would provide proper input validation and defense-in-depth protection against future misuse.

[sydseter]

@khushal-winner I have assigned you.

[khushal-winner]

@sydseter, thanks for the nudge earlier :))
To make space for new contributors (especially first-timers), I'm un-assigning myself from #2555 and #2557 right now. Both are super beginner-friendly (small changeset fixes), so perfect for someone new to jump in and learn Ecto/Phoenix security/best practices.

I'll still be around to review/help if anyone picks them up, but won't claim them myself.

[Suresh-Krishna-P]

@sydseter, can you assign this to me?

[sydseter]

@Suresh-Krishna-P, I have assigned you. Thank you for your time.