FIX: [security bug] XHR check bypass

spec/controllers/application_controller_spec.rb

@@ -1,7 +1,7 @@
 require 'spec_helper'
 
-describe 'api' do 
-  before do 
+describe 'api' do
+  before do
     fake_key = SecureRandom.hex(32)
     SiteSetting.stubs(:api_key).returns(fake_key)
   end
@@ -11,26 +11,28 @@ describe 'api' do
       Fabricate(:user)
     end
 
-    let(:post) do 
+    let(:post) do
       Fabricate(:post)
     end
-    
+
     # choosing an arbitrarily easy to mock trusted activity
     it 'allows users with api key to bookmark posts' do
-      PostAction.expects(:act).with(user,post,PostActionType.types[:bookmark]).returns(true)
-      put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: SiteSetting.api_key, api_username: user.username
+      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
+      put :bookmark, bookmarked: "true", post_id: post.id, api_key: SiteSetting.api_key, api_username: user.username, format: :json
     end
 
     it 'disallows phonies to bookmark posts' do
-      lambda do 
-        put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: SecureRandom.hex(32), api_username: user.username
+      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
+      lambda do
+        put :bookmark, bookmarked: "true", post_id: post.id, api_key: SecureRandom.hex(32), api_username: user.username, format: :json
       end.should raise_error Discourse::NotLoggedIn
     end
-    
+
     it 'disallows blank api' do
       SiteSetting.stubs(:api_key).returns("")
-      lambda do 
-        put :bookmark, bookmarked: "true" ,post_id: post.id , api_key: "", api_username: user.username
+      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).never
+      lambda do
+        put :bookmark, bookmarked: "true", post_id: post.id, api_key: "", api_username: user.username, format: :json
       end.should raise_error Discourse::NotLoggedIn
     end
   end