jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Raise error on unpermitted params.

Browse Source 
Fail loudly if we forget to whitelist a param instead of silently
ignoring it.

misc models: convert to strong params.

artist commentaries: convert to strong params.

* Disallow changing or setting post_id to a nonexistent post.

artists: convert to strong params.

* Disallow setting `is_banned` in create/update actions. Changing it
  this way instead of with the ban/unban actions would leave the artist in
  a partially banned state.

bans: convert to strong params.

* Disallow changing the user_id after the ban has been created.

comments: convert to strong params.

favorite groups: convert to strong params.

news updates: convert to strong params.

post appeals: convert to strong params.

post flags: convert to strong params.

* Disallow users from setting the `is_deleted` / `is_resolved` flags.

ip bans: convert to strong params.

user feedbacks: convert to strong params.

* Disallow users from setting `disable_dmail_notification` when creating feedbacks.
* Disallow changing the user_id after the feedback has been created.

notes: convert to strong params.

wiki pages: convert to strong params.

* Also fix non-Builders being able to delete wiki pages.

saved searches: convert to strong params.

pools: convert to strong params.

* Disallow setting `post_count` or `is_deleted` in create/update actions.

janitor trials: convert to strong params.

post disapprovals: convert to strong params.

* Factor out quick-mod bar to shared partial.
* Fix quick-mod bar to use `Post#is_approvable?` to determine visibility
  of Approve button.

dmail filters: convert to strong params.

password resets: convert to strong params.

user name change requests: convert to strong params.

posts: convert to strong params.

users: convert to strong params.

* Disallow setting password_hash, last_logged_in_at, last_forum_read_at,
  has_mail, and dmail_filter_attributes[user_id].

* Remove initialize_default_image_size (dead code).

uploads: convert to strong params.

* Remove `initialize_status` because status already defaults to pending
  in the database.

tag aliases/implications: convert to strong params.

tags: convert to strong params.

forum posts: convert to strong params.

* Disallow changing the topic_id after creating the post.
* Disallow setting is_deleted (destroy/undelete actions should be used instead).
* Remove is_sticky / is_locked (nonexistent attributes).

forum topics: convert to strong params.

* merges https://github.com/evazion/danbooru/tree/wip-rails-5.1
* lock pg gem to 0.21 (1.0.0 is incompatible with rails 5.1.4)
* switch to factorybot and change all references

Co-authored-by: r888888888 <r888888888@gmail.com>
Co-authored-by: evazion <noizave@gmail.com>

add diffs
This commit is contained in:
r888888888
2018-04-02 10:51:26 -07:00
committed by Albert Yi
parent 01eda51020
commit abce4d2551
362 changed files with 4796 additions and 4799 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
test/functional/posts_controller_test.rb
View File

@@ -1,36 +1,30 @@
require "test_helper"
class PostsControllerTest < ActionController::TestCase
class PostsControllerTest < ActionDispatch::IntegrationTest
context "The posts controller" do
setup do
@user = Timecop.travel(1.month.ago) {FactoryGirl.create(:user)}
@api_key = ApiKey.generate!(@user)
CurrentUser.user = @user
CurrentUser.ip_addr = "127.0.0.1"
@post = FactoryGirl.create(:post, :uploader_id => @user.id, :tag_string => "aaaa")
end
teardown do
CurrentUser.user = nil
CurrentUser.ip_addr = nil
@user = travel_to(1.month.ago) {create(:user)}
as_user do
@post = create(:post, :tag_string => "aaaa")
end
end
context "for api calls" do
setup do
@api_key = ApiKey.generate!(@user)
end
context "passing the api limit" do
setup do
@post = FactoryGirl.create(:post)
@bucket = TokenBucket.create(user_id: @user.id, token_count: 5, last_touched_at: Time.now)
User.any_instance.stubs(:api_burst_limit).returns(5)
User.any_instance.stubs(:api_regen_multiplier).returns(0)
as_user do
@post = create(:post)
end
TokenBucket.any_instance.stubs(:throttled?).returns(true)
@bucket = TokenBucket.create(user_id: @user.id, token_count: 0, last_touched_at: Time.now)
end
should "work" do
@user.api_burst_limit.times do
post :update, {:format => "json", :id => @post.id, :post => {:rating => "q"}, :login => @user.name, :api_key => @user.api_key.key}
assert_response :success
end
post :update, {:format => "json", :id => @post.id, :post => {:rating => "q"}, :login => @user.name, :api_key => @user.api_key.key}
put post_path(@post), params: {:format => "json", :post => {:rating => "q"}, :login => @user.name, :api_key => @user.api_key.key}
assert_response 429
end
end
@@ -38,39 +32,37 @@ class PostsControllerTest < ActionController::TestCase
context "using http basic auth" do
should "succeed for password matches" do
@basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:#{@api_key.key}")}"
@request.env['HTTP_AUTHORIZATION'] = @basic_auth_string
get :index, {:format => "json"}
get posts_path, params: {:format => "json"}, headers: {'HTTP_AUTHORIZATION' => @basic_auth_string}
assert_response :success
end
should "fail for password mismatches" do
@basic_auth_string = "Basic #{::Base64.encode64("#{@user.name}:badpassword")}"
@request.env['HTTP_AUTHORIZATION'] = @basic_auth_string
get :index, {:format => "json"}
get posts_path, params: {:format => "json"}, headers: {'HTTP_AUTHORIZATION' => @basic_auth_string}
assert_response 401
end
end
context "using the api_key parameter" do
should "succeed for password matches" do
get :index, {:format => "json", :login => @user.name, :api_key => @api_key.key}
get posts_path, params: {:format => "json", :login => @user.name, :api_key => @api_key.key}
assert_response :success
end
should "fail for password mismatches" do
get :index, {:format => "json", :login => @user.name, :api_key => "bad"}
get posts_path, params: {:format => "json", :login => @user.name, :api_key => "bad"}
assert_response 401
end
end
context "using the password_hash parameter" do
should "succeed for password matches" do
get :index, {:format => "json", :login => @user.name, :password_hash => User.sha1("password")}
get posts_path, params: {:format => "json", :login => @user.name, :password_hash => User.sha1("password")}
assert_response :success
end
# should "fail for password mismatches" do
# get :index, {:format => "json", :login => @user.name, :password_hash => "bad"}
# get posts_path, {:format => "json", :login => @user.name, :password_hash => "bad"}
# assert_response 403
# end
end
@@ -78,20 +70,20 @@ class PostsControllerTest < ActionController::TestCase
context "index action" do
should "render" do
get :index
get posts_path
assert_response :success
end
context "with a search" do
should "render" do
get :index, {:tags => "aaaa"}
get posts_path, params: {:tags => "aaaa"}
assert_response :success
end
end
context "with an md5 param" do
should "render" do
get :index, { md5: @post.md5 }
get posts_path, params: { md5: @post.md5 }
assert_redirected_to(@post)
end
end
@@ -99,33 +91,33 @@ class PostsControllerTest < ActionController::TestCase
context "show_seq action" do
should "render" do
posts = FactoryGirl.create_list(:post, 3)
posts = FactoryBot.create_list(:post, 3)
get :show_seq, { seq: "prev", id: posts[1].id }
get show_seq_post_path(posts[1].id), params: { seq: "prev" }
assert_redirected_to(posts[2])
get :show_seq, { seq: "next", id: posts[1].id }
get show_seq_post_path(posts[1].id), params: { seq: "next" }
assert_redirected_to(posts[0])
end
end
context "random action" do
should "render" do
get :random, { tags: "aaaa" }
get random_posts_path, params: { tags: "aaaa" }
assert_redirected_to(post_path(@post, tags: "aaaa"))
end
end
context "show action" do
should "render" do
get :show, {:id => @post.id}
get post_path(@post), params: {:id => @post.id}
assert_response :success
end
end
context "update action" do
should "work" do
post :update, {:id => @post.id, :post => {:tag_string => "bbb"}}, {:user_id => @user.id}
put_auth post_path(@post), @user, params: {:post => {:tag_string => "bbb"}}
assert_redirected_to post_path(@post)
@post.reload
@@ -133,35 +125,35 @@ class PostsControllerTest < ActionController::TestCase
end
should "ignore restricted params" do
post :update, {:id => @post.id, :post => {:last_noted_at => 1.minute.ago}}, {:user_id => @user.id}
assert_redirected_to post_path(@post)
@post.reload
assert_nil(@post.last_noted_at)
put_auth post_path(@post), @user, params: {:post => {:last_noted_at => 1.minute.ago}}
assert_nil(@post.reload.last_noted_at)
end
end
context "revert action" do
setup do
PostArchive.sqs_service.stubs(:merge?).returns(false)
@post.update_attributes(:tag_string => "zzz")
as_user do
@post.update(tag_string: "zzz")
end
end
should "work" do
@version = @post.versions.first
assert_equal("aaaa", @version.tags)
post :revert, {:id => @post.id, :version_id => @version.id}, {:user_id => @user.id}
put_auth revert_post_path(@post), @user, params: {:version_id => @version.id}
assert_redirected_to post_path(@post)
@post.reload
assert_equal("aaaa", @post.tag_string)
end
should "not allow reverting to a previous version of another post" do
@post2 = FactoryGirl.create(:post, :uploader_id => @user.id, :tag_string => "herp")
as_user do
@post2 = create(:post, :uploader_id => @user.id, :tag_string => "herp")
end
post :revert, { :id => @post.id, :version_id => @post2.versions.first.id }, {:user_id => @user.id}
put_auth revert_post_path(@post), @user, params: { :version_id => @post2.versions.first.id }
@post.reload
assert_not_equal(@post.tag_string, @post2.tag_string)
assert_response :missing
end