added test to make sure password is not leaked in user json/xml feed

2011-09-10 16:02:16 -04:00
parent a7846731d5
commit d9c3a5b519
2 changed files with 40 additions and 1 deletions
--- a/config/initializers/active_record_api_extensions.rb
+++ b/config/initializers/active_record_api_extensions.rb
@@ -17,7 +17,8 @@ module Danbooru
        options[:except] += hidden_attributes
        super(options, &block)
      end
-      
+    
+    protected
      def hidden_attributes
        [:uploader_ip_addr, :updater_ip_addr, :creator_ip_addr, :ip_addr]
      end
--- a/test/unit/user_test.rb
+++ b/test/unit/user_test.rb
@@ -156,6 +156,24 @@ class UserTest < ActiveSupport::TestCase
      end
    end
      
+    context "ip address" do
+      setup do
+        @user = Factory.create(:user)
+      end
+      
+      context "in the json representation" do
+        should "not appear" do
+          assert(@user.to_json !~ /addr/)
+        end
+      end
+      
+      context "in the xml representation" do
+        should "not appear" do
+          assert(@user.to_xml !~ /addr/)
+        end
+      end
+    end
+    
    context "password" do
      should "match the confirmation" do
        @user = Factory.create(:user)
@@ -187,6 +205,26 @@ class UserTest < ActiveSupport::TestCase
        new_pass = @user.reset_password
        assert(User.authenticate(@user.name, new_pass), "Authentication should have succeeded")
      end
+      
+      context "in the json representation" do
+        setup do
+          @user = Factory.create(:user)
+        end
+        
+        should "not appear" do
+          assert(@user.to_json !~ /password/)
+        end
+      end
+      
+      context "in the xml representation" do
+        setup do
+          @user = Factory.create(:user)
+        end
+        
+        should "not appear" do
+          assert(@user.to_xml !~ /password/)
+        end
+      end
    end
  end
 end