Merge pull request #2759 from evazion/fix-dmail-filters
Don't filter dmails from moderators; fix dmail filter exploit.
This commit is contained in:
Albert Yi
GitHub
@@ -0,0 +1,40 @@
|
||||
require "test_helper"
|
||||
|
||||
module Maintenance
|
||||
module User
|
||||
class DmailFiltersControllerTest < ActionController::TestCase
|
||||
context "The dmail filters controller" do
|
||||
setup do
|
||||
@user1 = FactoryGirl.create(:user)
|
||||
@user2 = FactoryGirl.create(:user)
|
||||
CurrentUser.user = @user1
|
||||
CurrentUser.ip_addr = "127.0.0.1"
|
||||
end
|
||||
|
||||
teardown do
|
||||
CurrentUser.user = nil
|
||||
CurrentUser.ip_addr = nil
|
||||
end
|
||||
|
||||
context "update action" do
|
||||
should "not allow a user to create a filter belonging to another user" do
|
||||
@dmail = FactoryGirl.create(:dmail, :owner => @user1)
|
||||
|
||||
params = {
|
||||
:dmail_id => @dmail.id,
|
||||
:dmail_filter => {
|
||||
:words => "owned",
|
||||
:user_id => @user2.id
|
||||
}
|
||||
}
|
||||
|
||||
post :update, params, { :user_id => @user1.id }
|
||||
|
||||
assert_not_equal("owned", @user2.reload.dmail_filter.try(&:words))
|
||||
assert_redirected_to(@dmail)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
@@ -38,6 +38,16 @@ class DmailTest < ActiveSupport::TestCase
|
||||
assert_equal(false, @recipient.has_mail?)
|
||||
end
|
||||
|
||||
should "be ignored when sender is a moderator" do
|
||||
CurrentUser.scoped(FactoryGirl.create(:moderator_user), "127.0.0.1") do
|
||||
@dmail = FactoryGirl.create(:dmail, :owner => @recipient, :body => "banned word here", :to => @recipient)
|
||||
end
|
||||
|
||||
assert_equal(false, !!@recipient.dmail_filter.filtered?(@dmail))
|
||||
assert_equal(false, @dmail.is_read?)
|
||||
assert_equal(true, @recipient.has_mail?)
|
||||
end
|
||||
|
||||
context "that is empty" do
|
||||
setup do
|
||||
@recipient.dmail_filter.update_attributes(:words => " ")
|
||||
|
||||
Reference in New Issue
Block a user