jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #2706 from evazion/fix-2704

Browse Source 
Partial fixes for #2704
This commit is contained in:
Albert Yi
2016-10-06 10:37:42 -07:00
committed by GitHub
parent 6b6f78da57 cb1e1d3a94
commit c8f4508924
7 changed files with 53 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/comments_controller.rb
View File

@@ -23,7 +23,7 @@ class CommentsController < ApplicationController
def update def update
@comment = Comment.find(params[:id]) @comment = Comment.find(params[:id])
check_privilege(@comment) check_privilege(@comment)
@comment.update_attributes(params[:comment]) @comment.update_attributes(params[:comment].permit(:body))
respond_with(@comment, :location => post_path(@comment.post_id)) respond_with(@comment, :location => post_path(@comment.post_id))
end end

5
app/models/comment.rb
View File

@@ -1,6 +1,7 @@
class Comment < ActiveRecord::Base class Comment < ActiveRecord::Base
include Mentionable include Mentionable
validate :validate_post_exists, :on => :create
validate :validate_creator_is_not_limited, :on => :create validate :validate_creator_is_not_limited, :on => :create
validates_format_of :body, :with => /\S/, :message => 'has no content' validates_format_of :body, :with => /\S/, :message => 'has no content'
belongs_to :post belongs_to :post
@@ -148,6 +149,10 @@ class Comment < ActiveRecord::Base
User.id_to_name(updater_id) User.id_to_name(updater_id)
end end
def validate_post_exists
errors.add(:post, "must exist") unless Post.exists?(post_id)
end
def validate_creator_is_not_limited def validate_creator_is_not_limited
if creator.is_comment_limited? && !do_not_bump_post? if creator.is_comment_limited? && !do_not_bump_post?
errors.add(:base, "You can only post #{Danbooru.config.member_comment_limit} comments per hour") errors.add(:base, "You can only post #{Danbooru.config.member_comment_limit} comments per hour")

2
app/models/post.rb
View File

@@ -45,7 +45,7 @@ class Post < ActiveRecord::Base
has_many :favorites, :dependent => :destroy has_many :favorites, :dependent => :destroy
validates_uniqueness_of :md5 validates_uniqueness_of :md5
validate :post_is_not_its_own_parent validate :post_is_not_its_own_parent
attr_accessible :source, :rating, :tag_string, :old_tag_string, :old_parent_id, :old_source, :old_rating, :last_noted_at, :parent_id, :has_embedded_notes, :as => [:member, :builder, :gold, :platinum, :janitor, :moderator, :admin, :default] attr_accessible :source, :rating, :tag_string, :old_tag_string, :old_parent_id, :old_source, :old_rating, :parent_id, :has_embedded_notes, :as => [:member, :builder, :gold, :platinum, :janitor, :moderator, :admin, :default]
attr_accessible :is_rating_locked, :is_note_locked, :as => [:builder, :janitor, :moderator, :admin] attr_accessible :is_rating_locked, :is_note_locked, :as => [:builder, :janitor, :moderator, :admin]
attr_accessible :is_status_locked, :as => [:admin] attr_accessible :is_status_locked, :as => [:admin]

27
test/functional/comments_controller_test.rb
View File

@@ -33,6 +33,28 @@ class CommentsControllerTest < ActionController::TestCase
post :update, {:id => @comment.id, :comment => {:body => "abc"}}, {:user_id => @comment.creator_id} post :update, {:id => @comment.id, :comment => {:body => "abc"}}, {:user_id => @comment.creator_id}
assert_redirected_to post_path(@comment.post) assert_redirected_to post_path(@comment.post)
end end
should "only allow changing the body" do
params = {
id: @comment.id,
comment: {
body: "herp derp",
do_not_bump_post: true,
is_deleted: true,
post_id: FactoryGirl.create(:post).id,
}
}
post :update, params, { :user_id => @comment.creator_id }
@comment.reload
assert_equal("herp derp", @comment.body)
assert_equal(false, @comment.do_not_bump_post)
assert_equal(false, @comment.is_deleted)
assert_equal(@post.id, @comment.post_id)
assert_redirected_to post_path(@post)
end
end end
context "create action"do context "create action"do
@@ -43,6 +65,11 @@ class CommentsControllerTest < ActionController::TestCase
comment = Comment.last comment = Comment.last
assert_redirected_to post_path(comment.post) assert_redirected_to post_path(comment.post)
end end
should "not allow commenting on nonexistent posts" do
post :create, {:comment => FactoryGirl.attributes_for(:comment, :post_id => -1)}, {:user_id => @user.id}
assert_response :error
end
end end
end end
end end

8
test/functional/posts_controller_test.rb
View File

@@ -103,6 +103,14 @@ class PostsControllerTest < ActionController::TestCase
@post.reload @post.reload
assert_equal("bbb", @post.tag_string) assert_equal("bbb", @post.tag_string)
end end
should "ignore restricted params" do
post :update, {:id => @post.id, :post => {:last_noted_at => 1.minute.ago}}, {:user_id => @user.id}
assert_redirected_to post_path(@post)
@post.reload
assert_nil(@post.last_noted_at)
end
end end
context "revert action" do context "revert action" do

7
test/unit/comment_test.rb
View File

@@ -101,6 +101,13 @@ class CommentTest < ActiveSupport::TestCase
assert(comment.errors.empty?, comment.errors.full_messages.join(", ")) assert(comment.errors.empty?, comment.errors.full_messages.join(", "))
end end
should "not validate if the post does not exist" do
comment = FactoryGirl.build(:comment, :post_id => -1)
assert_not(comment.valid?)
assert_equal(["must exist"], comment.errors[:post])
end
should "not bump the parent post" do should "not bump the parent post" do
post = FactoryGirl.create(:post) post = FactoryGirl.create(:post)
comment = FactoryGirl.create(:comment, :do_not_bump_post => true, :post => post) comment = FactoryGirl.create(:comment, :do_not_bump_post => true, :post => post)

4
test/unit/post_test.rb
View File

@@ -1723,5 +1723,9 @@ class PostTest < ActiveSupport::TestCase
end end
end end
end end
context "Mass assignment: " do
should_not allow_mass_assignment_of(:last_noted_at).as(:member)
end
end end