8a47fe3505
Although it wasn't a real security concern because we were only calling a `find` method based on the user input, it's a good practice to avoid using constants based on user parameters. Since we don't use the `find` method anymore but we still need to check the associated record exists, we're changing the `followable` validation in the `Follow` model to do exactly that.
37 lines
856 B
Ruby
37 lines
856 B
Ruby
require "rails_helper"
|
|
|
|
describe Follow do
|
|
let(:follow) { build(:follow, :followed_proposal) }
|
|
|
|
it "is valid" do
|
|
expect(follow).to be_valid
|
|
end
|
|
|
|
it "is not valid without a user_id" do
|
|
follow.user_id = nil
|
|
expect(follow).not_to be_valid
|
|
end
|
|
|
|
it "is not valid without a followable_id" do
|
|
follow.followable_id = nil
|
|
expect(follow).not_to be_valid
|
|
end
|
|
|
|
it "is not valid without a followable_type" do
|
|
follow.followable_type = nil
|
|
expect(follow).not_to be_valid
|
|
end
|
|
|
|
it "is not valid with an invalid followable_type" do
|
|
follow.followable_type = "NotARealModel"
|
|
|
|
expect { follow.valid? }.to raise_exception "uninitialized constant NotARealModel"
|
|
end
|
|
|
|
it "is not valid with the ID of a non-existent record" do
|
|
follow.followable_id = Proposal.last.id + 1
|
|
|
|
expect(follow).not_to be_valid
|
|
end
|
|
end
|