nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

validate user ownership on status message destroy

Browse source
This commit is contained in:
zhitomirskiyi 2010-11-03 18:04:10 -07:00
parent 6a6cedbc62
commit 2da1f860cd
3 changed files with 49 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/status_messages_controller.rb
View file

@ -22,8 +22,14 @@ class StatusMessagesController < ApplicationController
end end
def destroy def destroy
@status_message = current_user.find_visible_post_by_id params[:id] @status_message = current_user.my_posts.where(:_id => params[:id]).first
if @status_message
@status_message.destroy @status_message.destroy
else
Rails.logger.info "#{current_user.inspect} is trying to delete a post they don't own with id: #{params[:id]}"
end
respond_with :location => root_url respond_with :location => root_url
end end

30
spec/controllers/status_message_controller_spec.rb
View file

@ -8,9 +8,13 @@ describe StatusMessagesController do
render_views render_views
let!(:user) { make_user } let!(:user) { make_user }
let!(:aspect) { user.aspects.create(:name => "lame-os") } let!(:aspect) { user.aspects.create(:name => "AWESOME!!") }
let!(:user2) { make_user }
let!(:aspect2) { user2.aspects.create(:name => "WIN!!") }
before do before do
friend_users(user, aspect, user2, aspect2)
sign_in :user, user sign_in :user, user
@controller.stub!(:current_user).and_return(user) @controller.stub!(:current_user).and_return(user)
end end
@ -65,4 +69,28 @@ describe StatusMessagesController do
end end
end end
end end
describe '#destroy' do
let!(:message) {user.post(:status_message, :message => "hey", :to => aspect.id)}
let!(:message2) {user2.post(:status_message, :message => "hey", :to => aspect2.id)}
it 'should let me delete my photos' do
delete :destroy, :id => message.id
StatusMessage.find_by_id(message.id).should be_nil
end
it 'will not let you destroy posts visible to you' do
user.receive message2.to_diaspora_xml, user2.person
user.visible_posts.include?(message2).should be true
delete :destroy, :id => message2.id
StatusMessage.find_by_id(message2.id).should_not be_nil
end
it 'will not let you destory posts you do not own' do
user.visible_posts.include?(message2).should be false
delete :destroy, :id => message2.id
StatusMessage.find_by_id(message2.id).should_not be_nil
end
end
end end

12
spec/models/user/posting_spec.rb
View file

@ -55,6 +55,9 @@ describe User do
aspect.posts.should include post aspect.posts.should include post
end end
it 'should put an album in the aspect post array' do it 'should put an album in the aspect post array' do
album = user.post :album, :name => "Georges", :to => aspect.id album = user.post :album, :name => "Georges", :to => aspect.id
aspect.reload aspect.reload
@ -81,6 +84,15 @@ describe User do
end end
end end
describe '#post' do
it 'should not create a post with invalid aspect' do
pending "this would just causes db polution"
post_count = Post.count
proc { user.post(:status_message, :message => "hey", :to => aspect2.id) }.should raise_error /Cannot post to an aspect you do not own./
Post.count.should == post_count
end
end
describe '#update_post' do describe '#update_post' do
it 'should update fields' do it 'should update fields' do
album = user.post(:album, :name => "Profile Photos", :to => aspect.id) album = user.post(:album, :name => "Profile Photos", :to => aspect.id)