Revision 548f822d
Added by Tom Caspy about 8 years ago
test/functional/api/v2/bookmarks_controller_test.rb | ||
---|---|---|
end
|
||
assert_response :success
|
||
end
|
||
|
||
test "should only show public and user's bookmarks" do
|
||
get :index, {}, set_session_user
|
||
assert_response :success
|
||
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
end
|
||
|
||
test "should not allow actions on non public/non user bookmarks" do
|
||
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
assert_response 404
|
||
end
|
||
end
|
Also available in: Unified diff
fixes #13828 - CVE-2016-2100 - only showing relevant bookmarks
(cherry picked from commit a61344da14f73920b4bdc7ad8220e7a0ed998031)