Hi guys this one is puzzling me xD I'm sure its something small that my logic just doesnt compute... I got the following test in my controller spec:
describe "delete 'destroy'" do
before(:each) do
@post1 = @user.posts.create(:wall_id => @user2, :body => "foobar")
@post2 = @user.posts.create(:wall_id => @user, :body => "Foobar2")
end
describe "failure" do
it "some long description that i shortened for stackoverflow" do
lambda do
delete :destroy, :id => @post1
flash[:error] =~ /not allowed/i
response.should redirect_to(user_path(@user))
end.should_not change(Post, :count)
end
the @user is signed in using devise helper and that works fine because i have some other tests before and they run just fine.
So in my controller i have:
before_filter :authorize_destroy, :except => [:index, :create]
def destroy
@post.destroy
flash[:success] = "Post destroyed"
respond_to do |format|
format.html { redirect_to user_path(@post.wall_id) }
end
end
private
def authorize_destroy
@post = Post.find(params[:id])
redirect_to user_path(@post.owner) unless own_wall?(@post.owner)
end
And for some reason authorize_destroy passes even if @user, tries to delete a post that belongs to @user2 (as in :wall_id == @user2). That should not be possible.
Oh and for clarity the @post.owner is a relationship in the post model. This way that:
@post = { :user_id => 1, :wall_id => 2, :body => "foobar" }
@post.user => user1
@post.owner => user2
Thanks guys, im seriously confused in a funny way... because I know its not a bug there is just something wrong in my logic somewhere :D
Have a good one.