diff options
| author | Louise Crow <louise.crow@gmail.com> | 2013-10-02 18:31:46 +0100 | 
|---|---|---|
| committer | Louise Crow <louise.crow@gmail.com> | 2013-10-02 18:31:46 +0100 | 
| commit | 0ce3891bfd26d9ec3580f67a5ec5e904b5151962 (patch) | |
| tree | b0d4da98093cba4f6aa6c1285a3f26c3ffbfb2dc | |
| parent | b597d3528ac71d17c57d3ddca9950a4430f75039 (diff) | |
Don't allow redirects to another host.
| -rw-r--r-- | app/controllers/track_controller.rb | 3 | ||||
| -rw-r--r-- | spec/controllers/track_controller_spec.rb | 33 | 
2 files changed, 35 insertions, 1 deletions
| diff --git a/app/controllers/track_controller.rb b/app/controllers/track_controller.rb index 40fa69290..72c092221 100644 --- a/app/controllers/track_controller.rb +++ b/app/controllers/track_controller.rb @@ -181,7 +181,8 @@ class TrackController < ApplicationController          if new_medium == 'delete'              track_thing.destroy              flash[:notice] = _("You are no longer following {{track_description}}.", :track_description => track_thing.params[:list_description]) -            redirect_to params[:r] +            redirect_to URI.parse(params[:r]).path +          # Reuse code like this if we let medium change again.          #elsif new_medium == 'email_daily'          #    track_thing.track_medium = new_medium diff --git a/spec/controllers/track_controller_spec.rb b/spec/controllers/track_controller_spec.rb index a16024828..57d084f6b 100644 --- a/spec/controllers/track_controller_spec.rb +++ b/spec/controllers/track_controller_spec.rb @@ -55,6 +55,39 @@ describe TrackController, "when making a new track on a request" do  end +describe TrackController, "when unsubscribing from a track" do + +    before do +        @track_thing = FactoryGirl.create(:track_thing) +    end + +    it 'should destroy the track thing' do +        get :update, {:track_id => @track_thing.id, +                      :track_medium => 'delete', +                      :r => 'http://example.com'}, +                     {:user_id => @track_thing.tracking_user.id} +        TrackThing.find(:first, :conditions => ['id = ? ', @track_thing.id]).should == nil +    end + +    it 'should redirect to a URL on the site' do +        get :update, {:track_id => @track_thing.id, +                      :track_medium => 'delete', +                      :r => '/'}, +                     {:user_id => @track_thing.tracking_user.id} +        response.should redirect_to('/') +    end + +    it 'should not redirect to a url on another site' do +        track_thing = FactoryGirl.create(:track_thing) +        get :update, {:track_id => @track_thing.id, +                      :track_medium => 'delete', +                      :r => 'http://example.com/'}, +                     {:user_id => @track_thing.tracking_user.id} +        response.should redirect_to('/') +    end + +end +  describe TrackController, "when sending alerts for a track" do      render_views | 
