From 03df0ff716a07d5a527f7918a67b575a4c853467 Mon Sep 17 00:00:00 2001
From: ilya <ilya@laptop.(none)>
Date: Mon, 11 Oct 2010 18:22:19 -0700
Subject: [PATCH] parser spec is green

---
 lib/diaspora/user/receiving.rb          | 45 ++++++++++++++++++-------
 spec/lib/diaspora_parser_spec.rb        | 16 +++++----
 spec/models/user/attack_vectors_spec.rb | 13 +++----
 spec/spec_helper.rb                     |  2 +-
 4 files changed, 48 insertions(+), 28 deletions(-)

diff --git a/lib/diaspora/user/receiving.rb b/lib/diaspora/user/receiving.rb
index e6976a77e..f5390e476 100644
--- a/lib/diaspora/user/receiving.rb
+++ b/lib/diaspora/user/receiving.rb
@@ -5,28 +5,49 @@ module Diaspora
         salmon = Salmon::SalmonSlap.parse salmon_xml, self
         if salmon.verified_for_key?(salmon.author.public_key)
           Rails.logger.info("data in salmon: #{salmon.parsed_data}")
-          self.receive(salmon.parsed_data)
+          self.receive(salmon.parsed_data, salmon.author)
         end
       end
 
-      def receive xml
+      def receive xml, author
         object = Diaspora::Parser.from_xml(xml)
         Rails.logger.debug("Receiving object for #{self.real_name}:\n#{object.inspect}")
         Rails.logger.debug("From: #{object.person.inspect}") if object.person
-        
-        if object.is_a? Retraction
-          receive_retraction object, xml
-        elsif object.is_a? Request
-          receive_request object, xml
-        elsif object.is_a? Profile
-          receive_profile object, xml
-        elsif object.is_a?(Comment)
-          receive_comment object, xml
+
+
+      
+        if (author == sender(object, xml))
+          if object.is_a? Retraction
+            receive_retraction object, xml
+          elsif object.is_a? Request
+            receive_request object, xml
+          elsif object.is_a? Profile
+            receive_profile object, xml
+          elsif object.is_a?(Comment)
+            receive_comment object, xml
+          else
+            receive_post object, xml
+          end
         else
-          receive_post object, xml
+          raise "Possibly Malicious Post, #{author.real_name} with id #{author.id} is sending a #{object.class} as #{sender.real_name} with id #{sender.id} "
         end
       end
 
+      def sender(object, xml)
+        if object.is_a? Retraction
+          sender = object.person
+        elsif object.is_a? Request
+          sender = Diaspora::Parser.parse_or_find_person_from_xml( xml )
+        elsif object.is_a? Profile
+          sender = Diaspora::Parser.owner_id_from_xml xml
+        elsif object.is_a?(Comment)
+          sender = object.post.person
+        else
+          sender = object.person
+        end
+        sender
+      end
+
       def receive_retraction retraction, xml
         if retraction.type == 'Person'
           Rails.logger.info( "the person id is #{retraction.post_id} the friend found is #{visible_person_by_id(retraction.post_id).inspect}")
diff --git a/spec/lib/diaspora_parser_spec.rb b/spec/lib/diaspora_parser_spec.rb
index fede700ad..3b9e090f9 100644
--- a/spec/lib/diaspora_parser_spec.rb
+++ b/spec/lib/diaspora_parser_spec.rb
@@ -55,7 +55,7 @@ describe Diaspora::Parser do
       xml = retraction.to_diaspora_xml
 
       StatusMessage.count.should == 1
-      @user.receive xml
+      @user.receive xml, person
       StatusMessage.count.should == 0
     end
 
@@ -69,7 +69,7 @@ describe Diaspora::Parser do
       @user3.destroy
       @person.destroy
       Person.all.count.should == person_count -1
-      @user.receive xml
+      @user.receive xml, @person
       Person.all.count.should == person_count
 
       Person.first(:_id => original_person_id).serialized_public_key.include?("PUBLIC").should be true
@@ -85,7 +85,7 @@ describe Diaspora::Parser do
       xml = request.to_diaspora_xml
 
       Person.all.count.should be person_count
-      @user.receive xml
+      @user.receive xml, @user2.person
       Person.all.count.should be person_count
 
       @user2.reload
@@ -106,7 +106,7 @@ describe Diaspora::Parser do
       @user2.person.destroy
       @user2.destroy
 
-      @user.receive xml
+      @user.receive xml, @user2.person
       new_person = Person.first(:url => @user2.person.url)
       new_person.nil?.should be false
 
@@ -128,14 +128,16 @@ describe Diaspora::Parser do
 
       @user2.person.destroy
       @user2.destroy
-      @user.receive xml
+      @user.receive xml, @user2.person
+
 
       @aspect.reload
       aspect_people_count = @aspect.people.size
       #They are now friends
 
       Person.count.should == person_count
-      @user.receive retraction_xml
+      @user.receive retraction_xml, @user2.person
+
 
       @aspect.reload
       @aspect.people.size.should == aspect_people_count -1
@@ -163,7 +165,7 @@ describe Diaspora::Parser do
       old_profile.first_name.should == 'bob'
 
       #Marshal profile
-      @user.receive xml
+      @user.receive xml, person
 
       #Check that marshaled profile is the same as old profile
       person = Person.first(:id => person.id)
diff --git a/spec/models/user/attack_vectors_spec.rb b/spec/models/user/attack_vectors_spec.rb
index 0e14cf44c..2918cf1ca 100644
--- a/spec/models/user/attack_vectors_spec.rb
+++ b/spec/models/user/attack_vectors_spec.rb
@@ -28,38 +28,35 @@ describe User do
       user.raw_visible_posts.count.should be 1
 
       malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user3.person)
-      user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
+      proc{user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))}.should raise_error /Malicious Post/
 
       user.raw_visible_posts.count.should be 1
       user.raw_visible_posts.first.message.should == "store this!"
     end
      
-    it 'ovewrites messages which apear to ' do 
+    it 'ovewrites messages which apear to be from the same user' do 
       original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id
       user.receive_salmon(user2.salmon(original_message).xml_for(user.person))
       user.raw_visible_posts.count.should be 1
 
       malicious_message = Factory.build( :status_message, :id => original_message.id, :message => 'BAD!!!', :person => user2.person)
-      user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))
+      proc{user.receive_salmon(user3.salmon(malicious_message).xml_for(user.person))}.should raise_error /Malicious Post/
+
 
       user.raw_visible_posts.count.should be 1
       user.raw_visible_posts.first.message.should == "store this!"
     end
 
     it 'overites another persons profile' do
-      pending "don't allow profile overwriting"
       profile = user2.profile.clone
       profile.first_name = "Not BOB"
 
       user2.reload
       user2.profile.first_name.should == "Robert"
-      user.receive_salmon(user3.salmon(profile).xml_for(user.person))
+      proc{user.receive_salmon(user3.salmon(profile).xml_for(user.person))}.should raise_error /Malicious Post/
       user2.reload
       user2.profile.first_name.should == "Robert"
     end
 
-    it 'overwrites requests' do
-      pending
-    end
   end
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 7dede4436..403042406 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -82,7 +82,7 @@ ImageUploader.enable_processing = false
     request = user1.send_friend_request_to(user2.person, aspect1)
     reversed_request = user2.accept_friend_request( request.id, aspect2.id)
     user1.reload
-    user1.receive reversed_request.to_diaspora_xml
+    user1.receive reversed_request.to_diaspora_xml, user2.person
     user1.reload
     aspect1.reload
     user2.reload