IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Users can only bookmark posts which they can see.

Browse Source
This commit is contained in:
Guo Xiang Tan
2016-12-21 12:01:26 +08:00
parent 1821a0933d
commit 5d7f3223f0
9 changed files with 91 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
spec/controllers/post_actions_controller_spec.rb
View File

@@ -7,6 +7,20 @@ describe PostActionsController do
expect { xhr :post, :create }.to raise_error(Discourse::NotLoggedIn)
end
context 'logged in as user' do
let(:user) { Fabricate(:user) }
let(:private_message) { Fabricate(:private_message_post, user: Fabricate(:coding_horror)) }
before do
log_in_user(user)
end
it 'fails when the user does not have permission to see the post' do
xhr :post, :create, id: private_message.id, post_action_type_id: PostActionType.types[:bookmark]
expect(response).to be_forbidden
end
end
describe 'logged in as moderator' do
before do
@user = log_in(:moderator)
@@ -22,13 +36,7 @@ describe PostActionsController do
end
it "fails when the user doesn't have permission to see the post" do
Guardian.any_instance.expects(:can_see?).with(@post).returns(false)
xhr :post, :create, id: @post.id, post_action_type_id: PostActionType.types[:like]
expect(response).to be_forbidden
end
it "fails when the user doesn't have permission to perform that action" do
Guardian.any_instance.expects(:post_can_act?).with(@post, :like, taken_actions: nil).returns(false)
@post = Fabricate(:private_message_post, user: Fabricate(:user))
xhr :post, :create, id: @post.id, post_action_type_id: PostActionType.types[:like]
expect(response).to be_forbidden
end