Permalink
Browse files

Fix the way anonymous posts are treated

  • Loading branch information...
1 parent 373da82 commit 396b412d9cc82fb788386f5530ea16e49830ce74 @titanous titanous committed Oct 3, 2012
Showing with 12 additions and 1 deletion.
  1. +4 −1 lib/tentd/api/posts.rb
  2. +8 −0 spec/integration/api/posts_spec.rb
View
@@ -157,23 +157,26 @@ def authorize_post!(env)
post = env.params.data
if auth_is_publisher?(env.current_auth, post)
post.following_id = env.current_auth.id if env.current_auth.kind_of?(Model::Following)
+ post.original = false
env.authorized_scopes << :write_posts
elsif anonymous_publisher?(env.current_auth, post) && post != env['tent.entity']
+ raise Unauthorized if post.entity == env['tent.entity']
env.authorized_scopes << :write_posts
post.original = false
elsif env.authorized_scopes.include?(:import_posts)
post.entity ||= env['tent.entity']
post.app ||= env.current_auth.app
+ post.original = post.entity == env['tent.entity']
if post.following_id && following = Model::Following.first(:public_id => post.following_id)
post.following_id = following.id
end
elsif env.current_auth.respond_to?(:app)
post.entity = env['tent.entity']
post.app = env.current_auth.app
+ post.original = true
post.following_id = nil
post.id = nil
end
- post.original = post.entity == env['tent.entity'] if post.original.nil?
authorize_env!(env, :write_posts)
end
@@ -732,6 +732,14 @@ def authorize!(*scopes)
expect(body['id']).to eq(post.public_id)
expect(post.public_id).to eq(post_attributes[:id])
end
+
+ it 'should not allow posting as the entity' do
+ post_attributes = p.attributes
+ post_attributes[:id] = rand(36 ** 6).to_s(36)
+ post_attributes[:type] = p.type.uri
+ json_post "/posts", post_attributes.merge(:entity => 'https://example.org'), env.merge('tent.entity' => 'https://example.org')
+ expect(last_response.status).to eq(403)
+ end
end
end

0 comments on commit 396b412

Please sign in to comment.