From b03eb84bb640fd5afbff0a899b3afbce34df3ed9 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sat, 29 Jun 2024 00:14:42 +0100 Subject: [PATCH] Only the sender of a message should be able to mark it as read/unread --- app/controllers/messages_controller.rb | 2 +- test/controllers/messages_controller_test.rb | 12 ++++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb index 779174e25..e4d6c70d9 100644 --- a/app/controllers/messages_controller.rb +++ b/app/controllers/messages_controller.rb @@ -117,7 +117,7 @@ class MessagesController < ApplicationController # Set the message as being read or unread. def mark - @message = Message.where(:recipient => current_user).or(Message.where(:sender => current_user)).find(params[:message_id]) + @message = current_user.messages.find(params[:message_id]) if params[:mark] == "unread" message_read = false notice = t ".as_unread" diff --git a/test/controllers/messages_controller_test.rb b/test/controllers/messages_controller_test.rb index db3a200b6..3f19b5819 100644 --- a/test/controllers/messages_controller_test.rb +++ b/test/controllers/messages_controller_test.rb @@ -369,10 +369,10 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest ## # test the mark action def test_mark - user = create(:user) + sender_user = create(:user) recipient_user = create(:user) other_user = create(:user) - message = create(:message, :unread, :sender => user, :recipient => recipient_user) + message = create(:message, :unread, :sender => sender_user, :recipient => recipient_user) # Check that the marking a message requires us to login post message_mark_path(message) @@ -386,6 +386,14 @@ class MessagesControllerTest < ActionDispatch::IntegrationTest assert_response :not_found assert_template "no_such_message" + # Login as the message sender_user + session_for(sender_user) + + # Check that marking a message we sent fails + post message_mark_path(message) + assert_response :not_found + assert_template "no_such_message" + # Login as the message recipient_user session_for(recipient_user) -- 2.39.5