jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix exploit for viewing private dmails

Browse Source
This commit is contained in:
Albert Yi
2016-12-06 14:34:46 -08:00
parent deb62e0cdb
commit 4eb0a64135
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
test/functional/dmails_controller_test.rb
View File

@@ -22,6 +22,12 @@ class DmailsControllerTest < ActionController::TestCase
end
context "with a respond_to_id" do
should "check privileges" do
@user2 = FactoryGirl.create(:user)
get :new, {:respond_to_id => @dmail}, {:user_id => @user2.id}
assert_response 403
end
should "prefill the fields" do
get :new, {:respond_to_id => @dmail}, {:user_id => @user.id}
assert_response :success