dmails: fix users being able to update other user's dmails.

Fix it being possible to mark dmails belonging to other users as read or deleted. Anyone who had a permalink to a dmail could update the dmail.
2020-02-02 23:36:05 -06:00
parent 73219f38ce
commit b8aa223ecb
2 changed files with 16 additions and 7 deletions
--- a/test/functional/dmails_controller_test.rb
+++ b/test/functional/dmails_controller_test.rb
@@ -143,6 +143,13 @@ class DmailsControllerTest < ActionDispatch::IntegrationTest
        assert_equal(false, @dmail.reload.is_deleted)
      end

+      should "not allow updating if the dmail is not owned by the current user even with a dmail key" do
+        put_auth dmail_path(@dmail), @unrelated_user, params: { dmail: { is_deleted: true }, key: @dmail.key }
+
+        assert_response 403
+        assert_equal(false, @dmail.reload.is_deleted)
+      end
+
      should "update user's unread_dmail_count when marking dmails as read or unread" do
        put_auth dmail_path(@dmail), @user, params: { dmail: { is_read: true } }
        assert_equal(true, @dmail.reload.is_read)