catch tainted string in overview

technoweenie · Dec 20, 2008 · e229865 · e229865
1 parent 4aae70e
commit e229865
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 25 deletions.
diff --git a/app/views/admin/overview/_edit_event.rhtml b/app/views/admin/overview/_edit_event.rhtml
@@ -1,5 +1,5 @@
 <li class="event-revision<%= " shade" if defined?(shaded) && shaded == true %>">
   <span class="event-time"><%= event_time_for event, later %></span>
   <%= link_to h(event.title), :controller => 'articles', :action => 'edit', :id => event.article_id %> was revised.
-  <span class="meta">by <%= link_to who(event.user.login), :controller => 'users', :action => 'show', :id => event.user %></span>
+  <span class="meta">by <%= link_to h(who(event.user.login)), :controller => 'users', :action => 'show', :id => event.user %></span>
 </li>
diff --git a/test/functional/admin/overview_controller_test.rb b/test/functional/admin/overview_controller_test.rb
@@ -3,13 +3,13 @@
 # Re-raise errors caught by the controller.
 class Admin::OverviewController; def rescue_action(e) raise e end; end
 
-class Admin::OverviewControllerTest < Test::Unit::TestCase
-  fixtures :users, :contents, :events, :sites, :memberships
+class Admin::OverviewControllerTest < ActionController::TestCase
   def setup
-    @controller = Admin::OverviewController.new
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
-    login_as :quentin
+    Site.transaction do
+      [Site, User, Event, Article, Membership].each &:delete_all
+    end
+    @site   = Site.make
+    host! @site.host
   end
 
   def test_routing
@@ -20,41 +20,62 @@ def test_routing
   end
 
   def test_should_allow_site_admins_to_access_site
-    login_as :arthur
+    @user = User.make
+    Membership.make :user => @user, :site => @site, :admin => true
+    @request.session[:user] = User.authenticate_for(@site, @user.login, 'test')
+
     get :index
     assert_response :success
   end
 
   def test_should_allow_site_members_to_acces_overview
-    login_as :ben
-    get :index
-    assert_response :success
-  end
+    @user = User.make
+    Membership.make :user => @user, :site => @site, :admin => false
+    @request.session[:user] = User.authenticate_for(@site, @user.login, 'test')
 
-  def test_should_not_explode_on_home_page
     get :index
     assert_response :success
   end
-
+  
   def test_should_require_http_auth_on_feed
     get :feed
     assert_response 401
   end
-
-  def test_should_require_http_auth_on_feed
-    @request.env['HTTP_AUTHORIZATION'] = "Basic #{Base64.encode64("quentin:test")}"
+
+  def test_should_allow_http_auth_on_feed
+    @user = User.make
+    Membership.make :user => @user, :site => @site, :admin => true
+    @request.env['HTTP_AUTHORIZATION'] = "Basic #{Base64.encode64("#{@user.login}:test")}"
     get :feed
     assert_response :success
   end
-
+  
   def test_should_sort_future_items_in_todays_events
-    today = Time.now.utc
-    assert events(:future).update_attribute(  :created_at, today + 2.days)
-    assert events(:site_map).update_attribute(:created_at, today)
-    assert events(:about).update_attribute(   :created_at, today - 1.day)
+    Site.transaction do
+      @admin   = User.make
+      @user    = User.make
+      @article = Article.make :site => @site, :user => @user
+      @article.title = 'foo' ; @article.body = 'bar'
+      @event1  = Event.make_from @article
+      @comment = Comment.make :article => @article
+      @event2  = Event.make_from @comment
+      @article.title = 'foo2' ; @article.body = 'bar2'
+      @event3  = Event.make_from @article
+      @events  = Event.all
+      assert_equal 3, @events.size
+
+      today = Time.now.utc
+      assert @event1.update_attribute(:created_at, today + 2.days)
+      assert @event2.update_attribute(:created_at, today)
+      assert @event3.update_attribute(:created_at, today - 1.day)
+
+      Membership.make :user => @admin, :site => @site, :admin => true
+    end
+
+    @request.session[:user] = User.authenticate_for(@site, @admin.login, 'test')
     get :index
-    assert assigns(:todays_events).include?(events(:future)),    "#{assigns(:todays_events).collect(&:id).inspect}"
-    assert assigns(:todays_events).include?(events(:site_map)),  "#{assigns(:todays_events).collect(&:id).inspect}"
-    assert assigns(:yesterdays_events).include?(events(:about)), "#{assigns(:yesterdays_events).collect(&:id).inspect}"
+    assert assigns(:todays_events).include?(@event1),    "#{assigns(:todays_events).collect(&:id).inspect}"
+    assert assigns(:todays_events).include?(@event2),  "#{assigns(:todays_events).collect(&:id).inspect}"
+    assert assigns(:yesterdays_events).include?(@event3), "#{assigns(:yesterdays_events).collect(&:id).inspect}"
   end
 end