From d0c6f12ea8a6d8f8fd7116c91cd1690dacbbeb1a Mon Sep 17 00:00:00 2001 From: ilya Date: Wed, 13 Oct 2010 18:43:22 -0700 Subject: [PATCH] added another attack vector spec --- app/controllers/users_controller.rb | 4 --- app/views/devise/mailer/invitation.html.haml | 2 +- spec/models/user/attack_vectors_spec.rb | 29 ++++++++++++++++++-- 3 files changed, 27 insertions(+), 8 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 030cfe56d..0956c28cc 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -78,10 +78,6 @@ class UsersController < ApplicationController send_data( File.open(tar_path).read, :filename => "#{current_user.id}.tar" ) end - def invite - User.invite!(:email => params[:email]) - end - private def prep_image_url(params) url = APP_CONFIG[:pod_url].chop if APP_CONFIG[:pod_url][-1,1] == '/' diff --git a/app/views/devise/mailer/invitation.html.haml b/app/views/devise/mailer/invitation.html.haml index 03b6a5d26..86b01d97a 100644 --- a/app/views/devise/mailer/invitation.html.haml +++ b/app/views/devise/mailer/invitation.html.haml @@ -6,4 +6,4 @@ %p If you don't want to accept the invitation, please ignore this email. %br/ - Your account won't be created until you access the link above and set your password. + Your account won't be created until you access the link above and sign up. diff --git a/spec/models/user/attack_vectors_spec.rb b/spec/models/user/attack_vectors_spec.rb index 2918cf1ca..625969bef 100644 --- a/spec/models/user/attack_vectors_spec.rb +++ b/spec/models/user/attack_vectors_spec.rb @@ -21,7 +21,7 @@ describe User do end context 'malicious friend attack vector' do - it 'ovewrites messages with a different user' do + it 'overwrites messages with a different user' do original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id user.receive_salmon(user2.salmon(original_message).xml_for(user.person)) @@ -34,7 +34,7 @@ describe User do user.raw_visible_posts.first.message.should == "store this!" end - it 'ovewrites messages which apear to be from the same user' do + it 'overwrites messages which apear to be from the same user' do original_message = user2.post :status_message, :message => 'store this!', :to => aspect2.id user.receive_salmon(user2.salmon(original_message).xml_for(user.person)) user.raw_visible_posts.count.should be 1 @@ -47,7 +47,7 @@ describe User do user.raw_visible_posts.first.message.should == "store this!" end - it 'overites another persons profile' do + it 'should not overwrite another persons profile profile' do profile = user2.profile.clone profile.first_name = "Not BOB" @@ -57,6 +57,29 @@ describe User do user2.reload user2.profile.first_name.should == "Robert" end + + it 'should not overwrite another persons profile through comment' do + pending + user_status = user.post(:status_message, :message => "hi", :to => 'all') + comment = Comment.new(:person_id => user3.person.id, :text => "hey", :post => user_status) + + comment.creator_signature = comment.sign_with_key(user3.encryption_key) + comment.post_creator_signature = comment.sign_with_key(user.encryption_key) + person = user3.person + original_url = person.url + original_id = person.id + puts original_url + + comment.person.url = "http://bad.com/" + user3.delete + person.delete + + comment.to_diaspora_xml.include?("bad.com").should be true + user2.receive_salmon(user.salmon(comment).xml_for(user2.person)) + + comment.person.url.should == original_url + Person.first(:id => original_id).url.should == original_url + end end end