From 9b32e2dc37b24586cc0ba519db6de7c89f750153 Mon Sep 17 00:00:00 2001
From: Marcin Kulik <m@ku1ik.com>
Date: Wed, 12 Feb 2014 19:51:25 +0100
Subject: [PATCH] Prevent shadowing real user profiles by dummy ones

---
 app/controllers/users_controller.rb       |  2 +-
 app/models/user.rb                        |  6 +++++
 spec/controllers/users_controller_spec.rb | 32 ++++++++++++++++++++++-
 spec/factories/users.rb                   |  9 +++++--
 4 files changed, 45 insertions(+), 4 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index f8aebf0..4bae9c8 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -9,7 +9,7 @@ class UsersController < ApplicationController
   end
 
   def show
-    user = User.find_by_nickname!(params[:nickname])
+    user = User.real_for_nickname!(params[:nickname])
     render locals: { page: UserPagePresenter.build(user, current_user) }
   end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index bf7343c..ce2a450 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -14,6 +14,8 @@ class User < ActiveRecord::Base
   validates :nickname, uniqueness: { scope: :dummy }, unless: :dummy
   validates :email, presence: true, uniqueness: true, unless: :dummy
 
+  scope :real, -> { where(dummy: false) }
+
   before_create :generate_auth_token
 
   def self.for_credentials(credentials)
@@ -24,6 +26,10 @@ class User < ActiveRecord::Base
     where(email: email).first
   end
 
+  def self.real_for_nickname!(nickname)
+    real.where(nickname: nickname).first!
+  end
+
   def self.for_api_token(token, username)
     return nil if token.blank?
 
diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb
index e97289f..4318b6a 100644
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@@ -86,7 +86,37 @@ describe UsersController do
   end
 
   describe '#show' do
-    it 'should have specs'
+    subject { get :show, nickname: nickname }
+
+    let(:nickname) { user.nickname }
+
+    before do
+      subject
+    end
+
+    context "when real user nickname given" do
+      let(:user) { create(:user) }
+
+      it 'renders "show" template with HomePagePresenter as page' do
+        should render_template('show')
+      end
+    end
+
+    context "when dummy user nickname given" do
+      let(:user) { create(:dummy_user) }
+
+      it "responds with 404" do
+        expect(subject).to be_not_found
+      end
+    end
+
+    context "when fictional nickname given" do
+      let(:nickname) { 'nononono-no' }
+
+      it "responds with 404" do
+        expect(subject).to be_not_found
+      end
+    end
   end
 
   describe '#edit' do
diff --git a/spec/factories/users.rb b/spec/factories/users.rb
index e9fbe5c..89c91a7 100644
--- a/spec/factories/users.rb
+++ b/spec/factories/users.rb
@@ -2,14 +2,19 @@
 
 FactoryGirl.define do
   sequence(:uid) { |n| n }
-  sequence(:nickname) { |n| "mrFoo#{n}" }
+  sequence(:nickname) { |n| "user#{n}" }
 
   factory :user do
     provider "twitter"
     uid
-    sequence(:nickname) { |n| "foobar#{n}" }
+    sequence(:nickname) { generate(:nickname) }
     sequence(:email) { |n| "foo#{n}@bar.com" }
     name nil
     avatar_url nil
   end
+
+  factory :dummy_user, class: User do
+    dummy true
+    sequence(:nickname) { generate(:nickname) }
+  end
 end