Prevent shadowing real user profiles by dummy ones

2014-02-12 19:51:25 +01:00 · 2014-02-12 19:51:25 +01:00 · 9b32e2dc37
commit 9b32e2dc37
parent 3d9d338a3e
4 changed files with 45 additions and 4 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -9,7 +9,7 @@ class UsersController < ApplicationController
  end

  def show
-    user = User.find_by_nickname!(params[:nickname])
+    user = User.real_for_nickname!(params[:nickname])
    render locals: { page: UserPagePresenter.build(user, current_user) }
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -14,6 +14,8 @@ class User < ActiveRecord::Base
  validates :nickname, uniqueness: { scope: :dummy }, unless: :dummy
  validates :email, presence: true, uniqueness: true, unless: :dummy

+  scope :real, -> { where(dummy: false) }
+
  before_create :generate_auth_token

  def self.for_credentials(credentials)
@ -24,6 +26,10 @@ class User < ActiveRecord::Base
    where(email: email).first
  end

+  def self.real_for_nickname!(nickname)
+    real.where(nickname: nickname).first!
+  end
+
  def self.for_api_token(token, username)
    return nil if token.blank?

--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -86,7 +86,37 @@ describe UsersController do
  end

  describe '#show' do
-    it 'should have specs'
+    subject { get :show, nickname: nickname }
+
+    let(:nickname) { user.nickname }
+
+    before do
+      subject
+    end
+
+    context "when real user nickname given" do
+      let(:user) { create(:user) }
+
+      it 'renders "show" template with HomePagePresenter as page' do
+        should render_template('show')
+      end
+    end
+
+    context "when dummy user nickname given" do
+      let(:user) { create(:dummy_user) }
+
+      it "responds with 404" do
+        expect(subject).to be_not_found
+      end
+    end
+
+    context "when fictional nickname given" do
+      let(:nickname) { 'nononono-no' }
+
+      it "responds with 404" do
+        expect(subject).to be_not_found
+      end
+    end
  end

  describe '#edit' do
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@ -2,14 +2,19 @@

 FactoryGirl.define do
  sequence(:uid) { |n| n }
-  sequence(:nickname) { |n| "mrFoo#{n}" }
+  sequence(:nickname) { |n| "user#{n}" }

  factory :user do
    provider "twitter"
    uid
-    sequence(:nickname) { |n| "foobar#{n}" }
+    sequence(:nickname) { generate(:nickname) }
    sequence(:email) { |n| "foo#{n}@bar.com" }
    name nil
    avatar_url nil
  end
+
+  factory :dummy_user, class: User do
+    dummy true
+    sequence(:nickname) { generate(:nickname) }
+  end
 end