jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

users: don't allow gifting upgrades to demote privileged users.

Browse Source 
Don't allow gifting Gold or Platinum upgrades to users above Platinum
level. Fixes an exploit where you could demote Builders and above by
gifting them an upgrade.
This commit is contained in:
evazion
2020-12-13 18:43:34 -06:00
parent 2144f45fa4
commit d8b51e3f02
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
test/functional/user_upgrades_controller_test.rb
View File

@@ -77,6 +77,16 @@ class UserUpgradesControllerTest < ActionDispatch::IntegrationTest
end
end
context "an upgrade for a user above Platinum level" do
should "not demote the user" do
@builder = create(:builder_user)
post_auth user_upgrade_path, @user, params: { stripeToken: @token, desc: "Upgrade to Gold", user_id: @builder.id }
assert_response 403
assert_equal(true, @builder.reload.is_builder?)
end
end
context "an upgrade with a missing Stripe token" do
should "not upgrade the user" do
post_auth user_upgrade_path, @user, params: { desc: "Upgrade to Gold" }