mirror of
https://github.com/discourse/discourse.git
synced 2024-12-02 02:13:39 +08:00
7b53e610c1
The watch words controller creation function, create_or_update_word(), doesn’t validate the size of the replacement parameter, unlike the word parameter, when creating a replace watched word. So anyone with moderator privileges can create watched words with almost unlimited characters.
28 lines
610 B
Ruby
28 lines
610 B
Ruby
# frozen_string_literal: true
|
|
|
|
describe "Admin Watched Words", type: :system, js: true do
|
|
fab!(:current_user) { Fabricate(:admin) }
|
|
|
|
before { sign_in(current_user) }
|
|
|
|
let(:ww_page) { PageObjects::Pages::AdminWatchedWords.new }
|
|
|
|
it "correctly saves watched words" do
|
|
ww_page.visit
|
|
ww_page.add_word "foo"
|
|
|
|
expect(ww_page).to have_word
|
|
|
|
ww_page.visit
|
|
|
|
expect(ww_page).to have_word
|
|
end
|
|
|
|
it "shows error when character limit is exceeded" do
|
|
ww_page.visit
|
|
ww_page.add_word "a" * 101
|
|
|
|
expect(ww_page).to have_error("Word is too long (maximum is 100 characters)")
|
|
end
|
|
end
|