nocebo/diaspora
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adding a spec for a mass-assignment attack through profile update

Browse source
This commit is contained in:
Raphael 2010-10-20 12:15:13 -07:00
parent 961510a8ed
commit 9c8e514642
1 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
spec/controllers/users_controller_spec.rb
View file

@ -24,17 +24,26 @@ describe UsersController do
before do before do
@user.person.profile.image_url = "http://tom.joindiaspora.com/images/user/tom.jpg" @user.person.profile.image_url = "http://tom.joindiaspora.com/images/user/tom.jpg"
@user.person.profile.save @user.person.profile.save
@params = {"profile"=>
{"image_url" => "",
"last_name" => @user.person.profile.last_name,
"first_name" => @user.person.profile.first_name}}
end end
it "doesn't overwrite the profile photo when an empty string is passed in" do it "doesn't overwrite the profile photo when an empty string is passed in" do
image_url = @user.person.profile.image_url image_url = @user.person.profile.image_url
put("update", :id => @user.id, "user"=> {"profile"=> put("update", :id => @user.id, "user" => @params)
{"image_url" => "",
"last_name" => @user.person.profile.last_name,
"first_name" => @user.person.profile.first_name}})
@user.person.profile.image_url.should == image_url @user.person.profile.image_url.should == image_url
end end
it "doesn't overwrite random attributes" do
new_user = Factory.create(:user)
@params[:owner_id] = new_user.id
person = @user.person
put('update', :id => @user.id, "user" => @params)
Person.find(person.id).owner_id.should == @user.id
end
end end
context 'should allow the user to update their password' do context 'should allow the user to update their password' do