From 3a00c2adeb861d3d8a86183ddfbe739d8c543702 Mon Sep 17 00:00:00 2001 From: pmusaraj Date: Wed, 12 Sep 2018 10:13:20 -0400 Subject: [PATCH] add test to ensure that userA cannot see drafts stream of userB --- spec/requests/drafts_controller_spec.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/spec/requests/drafts_controller_spec.rb b/spec/requests/drafts_controller_spec.rb index bffc3900b54..d18b15ec85f 100644 --- a/spec/requests/drafts_controller_spec.rb +++ b/spec/requests/drafts_controller_spec.rb @@ -24,4 +24,15 @@ describe DraftsController do parsed = JSON.parse(response.body) expect(parsed["drafts"].length).to eq(0) end + + it 'does not let userA see drafts by userB' do + userB = Fabricate(:user) + Draft.set(userB, 'xxx', 0, '{}') + + userA = sign_in(Fabricate(:user)) + get "/drafts.json", params: { username: userB.username } + expect(response.status).to eq(200) + parsed = JSON.parse(response.body) + expect(parsed["drafts"].length).to eq(0) + end end