github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-25 09:57:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

All parameters for #create in PostsController pass through strong_parameters.

Browse Source 
We are now explicitly whitelisting all parameters for Post creation. A nice side-effect is that it cleans up the #create action in PostsController. We can now trust that all parameters entering PostCreator are of a safe scalar type.
This commit is contained in:
Ian Christian Myers
2013-06-07 00:52:03 -07:00
parent 875151f08a
commit b61e10f9ad
5 changed files with 48 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
spec/controllers/posts_controller_spec.rb
View File

@ -257,19 +257,19 @@ describe PostsController do
let!(:user) { log_in }
let(:new_post) { Fabricate.build(:post, user: user) }
it "raises an exception without a post parameter" do
lambda { xhr :post, :create }.should raise_error(ActionController::ParameterMissing)
it "raises an exception without a raw parameter" do
lambda { xhr :post, :create }.should raise_error(ActionController::ParameterMissing)
end
it 'calls the post creator' do
PostCreator.any_instance.expects(:create).returns(new_post)
xhr :post, :create, post: {raw: 'test'}
xhr :post, :create, {raw: 'test'}
response.should be_success
end
it 'returns JSON of the post' do
PostCreator.any_instance.expects(:create).returns(new_post)
xhr :post, :create, post: {raw: 'test'}
xhr :post, :create, {raw: 'test'}
::JSON.parse(response.body).should be_present
end
@ -284,7 +284,7 @@ describe PostsController do
end
it "does not succeed" do
xhr :post, :create, post: {raw: 'test'}
xhr :post, :create, {raw: 'test'}
User.any_instance.expects(:flag_linked_posts_as_spam).never
response.should_not be_success
end
@ -292,7 +292,7 @@ describe PostsController do
it "it triggers flag_linked_posts_as_spam when the post creator returns spam" do
PostCreator.any_instance.expects(:spam?).returns(true)
User.any_instance.expects(:flag_linked_posts_as_spam)
xhr :post, :create, post: {raw: 'test'}
xhr :post, :create, {raw: 'test'}
end
end
@ -308,48 +308,48 @@ describe PostsController do
end
it "passes raw through" do
PostCreator.expects(:new).with(user, has_entries(raw: 'hello')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}
PostCreator.expects(:new).with(user, has_entries('raw' => 'hello')).returns(post_creator)
xhr :post, :create, {raw: 'hello'}
end
it "passes title through" do
PostCreator.expects(:new).with(user, has_entries(title: 'new topic title')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}, title: 'new topic title'
PostCreator.expects(:new).with(user, has_entries('title' => 'new topic title')).returns(post_creator)
xhr :post, :create, {raw: 'hello', title: 'new topic title'}
end
it "passes topic_id through" do
PostCreator.expects(:new).with(user, has_entries(topic_id: '1234')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello', topic_id: 1234}
PostCreator.expects(:new).with(user, has_entries('topic_id' => '1234')).returns(post_creator)
xhr :post, :create, {raw: 'hello', topic_id: 1234}
end
it "passes archetype through" do
PostCreator.expects(:new).with(user, has_entries(archetype: 'private_message')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}, archetype: 'private_message'
PostCreator.expects(:new).with(user, has_entries('archetype' => 'private_message')).returns(post_creator)
xhr :post, :create, {raw: 'hello', archetype: 'private_message'}
end
it "passes category through" do
PostCreator.expects(:new).with(user, has_entries(category: 'cool')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello', category: 'cool'}
PostCreator.expects(:new).with(user, has_entries('category' => 'cool')).returns(post_creator)
xhr :post, :create, {raw: 'hello', category: 'cool'}
end
it "passes target_usernames through" do
PostCreator.expects(:new).with(user, has_entries(target_usernames: 'evil,trout')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}, target_usernames: 'evil,trout'
PostCreator.expects(:new).with(user, has_entries('target_usernames' => 'evil,trout')).returns(post_creator)
xhr :post, :create, {raw: 'hello', target_usernames: 'evil,trout'}
end
it "passes reply_to_post_number through" do
PostCreator.expects(:new).with(user, has_entries(reply_to_post_number: '6789')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello', reply_to_post_number: 6789}
PostCreator.expects(:new).with(user, has_entries('reply_to_post_number' => '6789')).returns(post_creator)
xhr :post, :create, {raw: 'hello', reply_to_post_number: 6789}
end
it "passes image_sizes through" do
PostCreator.expects(:new).with(user, has_entries(image_sizes: 'test')).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}, image_sizes: 'test'
PostCreator.expects(:new).with(user, has_entries('image_sizes' => 'test')).returns(post_creator)
xhr :post, :create, {raw: 'hello', image_sizes: 'test'}
end
it "passes meta_data through" do
PostCreator.expects(:new).with(user, has_entries(meta_data: {'xyz' => 'abc'})).returns(post_creator)
xhr :post, :create, post: {raw: 'hello'}, meta_data: {xyz: 'abc'}
PostCreator.expects(:new).with(user, has_entries('meta_data' => {'xyz' => 'abc'})).returns(post_creator)
xhr :post, :create, {raw: 'hello', meta_data: {xyz: 'abc'}}
end
end