nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adding a spec for a mass-assignment attack through profile update

Browse source
This commit is contained in:
Raphael 2010-10-20 12:15:13 -07:00
parent 961510a8ed
commit 9c8e514642
1 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
spec/controllers/users_controller_spec.rb
View file

@ -24,17 +24,26 @@ describe UsersController do
before do
@user.person.profile.image_url = "http://tom.joindiaspora.com/images/user/tom.jpg"
@user.person.profile.save
@params = {"profile"=>
{"image_url" => "",
"last_name" => @user.person.profile.last_name,
"first_name" => @user.person.profile.first_name}}
end
it "doesn't overwrite the profile photo when an empty string is passed in" do
image_url = @user.person.profile.image_url
put("update", :id => @user.id, "user"=> {"profile"=>
{"image_url" => "",
"last_name" => @user.person.profile.last_name,
"first_name" => @user.person.profile.first_name}})
put("update", :id => @user.id, "user" => @params)
@user.person.profile.image_url.should == image_url
end
it "doesn't overwrite random attributes" do
new_user = Factory.create(:user)
@params[:owner_id] = new_user.id
person = @user.person
put('update', :id => @user.id, "user" => @params)
Person.find(person.id).owner_id.should == @user.id
end
end
context 'should allow the user to update their password' do