From 5bb4ee5d3660977ac35e79ffa9aee4f45737c82c Mon Sep 17 00:00:00 2001
From: danielvincent <danielgrippi@gmail.com>
Date: Mon, 20 Sep 2010 15:15:37 -0700
Subject: [PATCH] DG IZ; posting now ensures aspect ownership.

---
 app/models/user.rb               | 3 +++
 spec/models/user/posting_spec.rb | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/app/models/user.rb b/app/models/user.rb
index f0481341a..e02c58534 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -105,7 +105,10 @@ class User
     end
 
     aspect_ids = [aspect_ids.to_s] if aspect_ids.is_a? BSON::ObjectId
+
     raise ArgumentError.new("You must post to someone.") if aspect_ids.nil? || aspect_ids.empty?
+    aspect_ids.each{ |aspect_id|
+      raise ArgumentError.new("Cannot post to an aspect you do not own.") unless self.aspects.find(aspect_id) }
 
     post = build_post(class_name, options)
 
diff --git a/spec/models/user/posting_spec.rb b/spec/models/user/posting_spec.rb
index b1f6f71a8..d00747a2d 100644
--- a/spec/models/user/posting_spec.rb
+++ b/spec/models/user/posting_spec.rb
@@ -30,6 +30,10 @@ describe User do
     proc {@user.post(:status_message, :message => "heyheyhey")}.should raise_error /You must post to someone/
   end
 
+  it 'should not be able to post to someone elses aspect' do
+    proc {@user.post(:status_message, :message => "heyheyhey", :to => @aspect2.id)}.should raise_error /Cannot post to an aspect you do not own./
+  end
+  
   it 'should put the post in the aspect post array' do
     post = @user.post(:status_message, :message => "hey", :to => @aspect.id)
     @aspect.reload