Use only the main id parameter to find Article to update

publify · May 22, 2022 · c0aba87 · c0aba87
1 parent d254b06
commit c0aba87
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/publify_core/app/controllers/admin/content_controller.rb b/publify_core/app/controllers/admin/content_controller.rb
@@ -58,9 +58,9 @@ def create
   end
 
   def update
-    return unless access_granted?(params[:id])
+    id = params[:id]
+    return unless access_granted?(id)
 
-    id = params[:article][:id] || params[:id]
     @article = Article.find(id)
 
     if params[:article][:draft]

diff --git a/publify_core/spec/controllers/admin/content_controller_spec.rb b/publify_core/spec/controllers/admin/content_controller_spec.rb
@@ -527,6 +527,26 @@ def base_article(options = {})
         it { expect(article.reload.text_filter.name).to eq("textile") }
         it { expect(article.reload.body).to eq(body) }
       end
+
+      context "with an owned article and another user's article" do
+        let(:article) { create(:article, body: "another *textile* test", user: publisher) }
+        let(:other_article) { create(:article, body: "other article") }
+        let(:body) { "not the *same* text" }
+
+        before do
+          put :update,
+              params: { id: article.id,
+                        article: { id: other_article.id, body: body } }
+        end
+
+        it "ignores the extra id passed in the article parameters" do
+          aggregate_failures do
+            expect(response).to redirect_to(action: "index")
+            expect(article.reload.body).to eq(body)
+            expect(other_article.reload.body).not_to eq(body)
+          end
+        end
+      end
     end
   end