another attack vector spec

spec/models/user/attack_vectors_spec.rb

@@ -9,6 +9,8 @@ describe User do
   let(:user) { Factory(:user) }
   let(:aspect) { user.aspect(:name => 'heroes') }
   
+  let(:bad_user) { Factory(:user)}
+
   let(:user2) { Factory(:user) }
   let(:aspect2) { user2.aspect(:name => 'losers') }
 
@@ -20,6 +22,26 @@ describe User do
     friend_users(user, aspect, user3, aspect3)
   end
 
+  context 'non-friend valid user' do
+    
+    it 'raises if receives post by non-friend' do
+      pending "need to that posts come from friends.... requests need special treatment(because the person may not be in the db)"
+      post_from_non_friend = bad_user.build_post( :status_message, :message => 'hi')
+      xml = bad_user.salmon(post_from_non_friend).xml_for(user.person)
+
+      post_from_non_friend.delete
+      bad_user.delete
+
+      post_count = Post.count
+      proc{ user.receive_salmon(xml) }.should raise_error /Not friends with that person/
+
+      user.raw_visible_posts.include?(post_from_non_friend).should be false
+
+      Post.count.should == post_count
+    end
+
+  end
+
   context 'malicious friend attack vector' do
     it 'overwrites messages with a different user' do 
       original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id