DG IZ; posting now ensures aspect ownership.

2010-09-20 15:15:37 -07:00 · 2010-09-20 15:15:37 -07:00 · 5bb4ee5d36
commit 5bb4ee5d36
parent 4fe4326ed1
2 changed files with 7 additions and 0 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -105,7 +105,10 @@ class User
    end

    aspect_ids = [aspect_ids.to_s] if aspect_ids.is_a? BSON::ObjectId
+
    raise ArgumentError.new("You must post to someone.") if aspect_ids.nil? || aspect_ids.empty?
+    aspect_ids.each{ |aspect_id|
+      raise ArgumentError.new("Cannot post to an aspect you do not own.") unless self.aspects.find(aspect_id) }

    post = build_post(class_name, options)

--- a/spec/models/user/posting_spec.rb
+++ b/spec/models/user/posting_spec.rb
@ -30,6 +30,10 @@ describe User do
    proc {@user.post(:status_message, :message => "heyheyhey")}.should raise_error /You must post to someone/
  end

+  it 'should not be able to post to someone elses aspect' do
+    proc {@user.post(:status_message, :message => "heyheyhey", :to => @aspect2.id)}.should raise_error /Cannot post to an aspect you do not own./
+  end
+  
  it 'should put the post in the aspect post array' do
    post = @user.post(:status_message, :message => "hey", :to => @aspect.id)
    @aspect.reload