Commit 3a75a19ce68fac27f73064dd0bbc51ed9ebf889b to francois's mephisto

francois / mephisto

Fork of halorgium/mephisto
Description:	A refactored Mephisto that has multiple spam detection engines.
Homepage:	http://mephistoblog.com/
Clone URL:	git://github.com/francois/mephisto.git Give this clone URL to anyone. `git clone git://github.com/francois/mephisto.git`

add attr_accessible to User [Neill Zero]

git-svn-id: http://svn.techno-weenie.net/projects/mephisto/trunk@2805 
567b1171-46fb-0310-a4c9-b4bef9110e78

technoweenie (author)

Wed Mar 14 19:13:49 -0700 2007

commit 3a75a19ce68fac27f73064dd0bbc51ed9ebf889b
tree 94ab2ab4f83d9c7175b94c18da922d32fcdba6d1
parent 19c9f1382b8c615f1432af81bbe92df688a02bda

app/models/user.rb
test/functional/admin/users_controller_test.rb

app/models/user.rb

0
@@ -6,7 +6,10 @@ class User < ActiveRecord::Base
0
 
0
   # Virtual attribute for the unencrypted password
0
   attr_accessor :password
0
-
0
+  
0
+  #Only these can be modified through bulk-setters like update_attributes, new, create
0
+  attr_accessible :login, :email, :password, :password_confirmation, :filter
0
+  
0
   validates_presence_of     :login, :email
0
   validates_format_of       :email, :with => Format::EMAIL
0
   validates_presence_of     :password,                   :if => :password_required?

test/functional/admin/users_controller_test.rb

0
@@ -114,6 +114,36 @@ class Admin::UsersControllerTest < Test::Unit::TestCase
0
     assert_equal 'markdown_filter', users(:quentin).filter
0
   end
0
 
0
+  def test_should_not_permit_promoting_self_to_admin_in_update
0
+    login_as :arthur, :hostess
0
+    assert !users(:arthur).admin, "we mean to test with a non-admin user"
0
+    post :update, :id => users(:arthur).id, :user => { :admin => 'true' }
0
+    users(:arthur).reload
0
+    assert !users(:arthur).admin, "user.admin shouldn't change"
0
+    assert_response :success
0
+  end
0
+
0
+  def test_should_not_permit_changing_own_created_at_in_update
0
+    login_as :arthur, :hostess
0
+    prev_time = users(:arthur).created_at
0
+    post :update, :id => users(:arthur).id, :user => { :created_at => prev_time - 1.year }
0
+    users(:arthur).reload
0
+    assert_equal prev_time, users(:arthur).created_at, "user.created_at shouldn't change"
0
+    assert_response :success
0
+  end
0
+
0
+  def test_should_not_permit_changing_owned_articles_in_update
0
+    login_as :quentin
0
+    user = users(:quentin)
0
+    prev_article_ids = user.article_ids
0
+    assert prev_article_ids.size > 2, "Test needs more than 2 articles. Pick another user?"
0
+    #but now we're going to try to own only the first 2 of them...
0
+    post :update, :id => user.id, :user => { :article_ids => prev_article_ids[0..1] }
0
+    user.reload
0
+    assert_equal prev_article_ids, user.article_ids, "user.article_ids[] shouldn't change"
0
+    assert_response :success
0
+  end
0
+
0
   def test_should_show_deleted_users
0
     login_as :quentin
0
     get :index

Comments

No one has commented yet.