validate user ownership on status message destroy

2010-11-03 18:04:10 -07:00 · 2010-11-03 18:04:10 -07:00 · 2da1f860cd
commit 2da1f860cd
parent 6a6cedbc62
3 changed files with 49 additions and 3 deletions
--- a/app/controllers/status_messages_controller.rb
+++ b/app/controllers/status_messages_controller.rb
@ -22,8 +22,14 @@ class StatusMessagesController < ApplicationController
  end

  def destroy
-    @status_message = current_user.find_visible_post_by_id params[:id]
-    @status_message.destroy
+    @status_message = current_user.my_posts.where(:_id =>  params[:id]).first
+    if @status_message
+      @status_message.destroy
+
+    else
+      Rails.logger.info "#{current_user.inspect} is trying to delete a post they don't own with id: #{params[:id]}"
+    end
+
    respond_with :location => root_url
  end

--- a/spec/controllers/status_message_controller_spec.rb
+++ b/spec/controllers/status_message_controller_spec.rb
@ -8,9 +8,13 @@ describe StatusMessagesController do
  render_views

  let!(:user) { make_user }
-  let!(:aspect) { user.aspects.create(:name => "lame-os") }
+  let!(:aspect) { user.aspects.create(:name => "AWESOME!!") }
+
+  let!(:user2) { make_user }
+  let!(:aspect2) { user2.aspects.create(:name => "WIN!!") }

  before do
+    friend_users(user, aspect, user2, aspect2)
    sign_in :user, user
    @controller.stub!(:current_user).and_return(user)
  end
@ -65,4 +69,28 @@ describe StatusMessagesController do
      end
    end
  end
+
+  describe '#destroy' do
+    let!(:message) {user.post(:status_message, :message => "hey", :to => aspect.id)}
+    let!(:message2) {user2.post(:status_message, :message => "hey", :to => aspect2.id)}
+
+    it 'should let me delete my photos' do
+      delete :destroy, :id => message.id
+      StatusMessage.find_by_id(message.id).should be_nil
+    end
+
+    it 'will not let you destroy posts visible to you' do
+      user.receive message2.to_diaspora_xml, user2.person
+      user.visible_posts.include?(message2).should be true
+      delete :destroy, :id => message2.id
+      StatusMessage.find_by_id(message2.id).should_not be_nil
+    end
+
+    it 'will not let you destory posts you do not own' do
+      user.visible_posts.include?(message2).should be false
+      delete :destroy, :id => message2.id
+      StatusMessage.find_by_id(message2.id).should_not be_nil
+    end
+
+  end
 end
--- a/spec/models/user/posting_spec.rb
+++ b/spec/models/user/posting_spec.rb
@ -55,6 +55,9 @@ describe User do
      aspect.posts.should include post
    end

+
+
+
    it 'should put an album in the aspect post array' do
      album = user.post :album, :name => "Georges", :to => aspect.id
      aspect.reload
@ -81,6 +84,15 @@ describe User do
    end
  end

+  describe '#post' do
+    it 'should not create a post with invalid aspect' do
+      pending "this would just causes db polution"
+      post_count = Post.count
+      proc { user.post(:status_message, :message => "hey", :to => aspect2.id) }.should raise_error /Cannot post to an aspect you do not own./
+      Post.count.should == post_count
+    end
+  end
+
  describe '#update_post' do
    it 'should update fields' do
      album = user.post(:album, :name => "Profile Photos", :to => aspect.id)