Revision 548f822d
Added by Tom Caspy about 8 years ago
| test/functional/api/v2/bookmarks_controller_test.rb | ||
|---|---|---|
|
end
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "should only show public and user's bookmarks" do
|
||
|
get :index, {}, set_session_user
|
||
|
assert_response :success
|
||
|
assert_includes assigns(:bookmarks), bookmarks(:one)
|
||
|
refute_includes assigns(:bookmarks), bookmarks(:two)
|
||
|
end
|
||
|
|
||
|
test "should not allow actions on non public/non user bookmarks" do
|
||
|
put :update, {:id => bookmarks(:two).to_param, :bookmark => { :name => 'bar' }}, set_session_user
|
||
|
assert_response 404
|
||
|
end
|
||
|
end
|
||
Also available in: Unified diff
fixes #13828 - CVE-2016-2100 - only showing relevant bookmarks
(cherry picked from commit a61344da14f73920b4bdc7ad8220e7a0ed998031)