From 4e9e7167836b9f838aa9e79084f86394cf27a187 Mon Sep 17 00:00:00 2001 From: ilya Date: Tue, 19 Oct 2010 15:42:40 -0700 Subject: [PATCH] another attack vector spec --- spec/models/user/attack_vectors_spec.rb | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/spec/models/user/attack_vectors_spec.rb b/spec/models/user/attack_vectors_spec.rb index 625969bef..ebab7cf37 100644 --- a/spec/models/user/attack_vectors_spec.rb +++ b/spec/models/user/attack_vectors_spec.rb @@ -8,6 +8,8 @@ describe User do let(:user) { Factory(:user) } let(:aspect) { user.aspect(:name => 'heroes') } + + let(:bad_user) { Factory(:user)} let(:user2) { Factory(:user) } let(:aspect2) { user2.aspect(:name => 'losers') } @@ -20,6 +22,26 @@ describe User do friend_users(user, aspect, user3, aspect3) end + context 'non-friend valid user' do + + it 'raises if receives post by non-friend' do + pending "need to that posts come from friends.... requests need special treatment(because the person may not be in the db)" + post_from_non_friend = bad_user.build_post( :status_message, :message => 'hi') + xml = bad_user.salmon(post_from_non_friend).xml_for(user.person) + + post_from_non_friend.delete + bad_user.delete + + post_count = Post.count + proc{ user.receive_salmon(xml) }.should raise_error /Not friends with that person/ + + user.raw_visible_posts.include?(post_from_non_friend).should be false + + Post.count.should == post_count + end + + end + context 'malicious friend attack vector' do it 'overwrites messages with a different user' do original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id