Ensure the correct feed -> submission URL

app/controllers/submissions_controller.rb

@@ -1,9 +1,13 @@
 class SubmissionsController < ApplicationController
   load_and_authorize_resource
+  before_filter :get_feed
   helper :contents
 
-  def index
+  def get_feed
     @feed = Feed.find(params[:feed_id])
+  end
+
+  def index
     @can_moderate_feed = can?(:update, @feed)
     @submissions = @feed.submissions
     if !@can_moderate_feed
@@ -19,6 +23,11 @@ def index
   def show
     @submission = Submission.find(params[:id])
 
+    # Enforce the correct feed ID in the URL
+    if @submission.feed != @feed
+      redirect_to feed_submissions_path(params[:feed_id])
+    end
+
     respond_to do |format|
       format.js { }
       format.html { }

test/functional/submissions_controller_test.rb

@@ -0,0 +1,15 @@
+require 'test_helper'
+
+class SubmissionsControllerTest < ActionController::TestCase
+  include Devise::TestHelpers
+
+  def setup
+    request.env["devise.mapping"] = Devise.mappings[:user]
+  end
+
+  test "show redirects to correct feed" do
+    get :show, :feed_id => feeds(:boring_announcements).id, :id => submissions(:approved_ticker).id
+    assert_redirected_to feed_submissions_path(feeds(:boring_announcements))
+  end
+
+end