team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

changed user_id to id

Browse Source
This commit is contained in:
cktricky
2017-12-19 08:26:02 -05:00
parent f23ecdde3f
commit 00af8293b2
6 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
spec/vulnerabilities/insecure_dor_spec.rb
+4 -4
View File
@@ -3,7 +3,7 @@ require "spec_helper"
feature "insecure direct object reference" do
let(:normal_user) { UserFixture.normal_user }
let(:another_user) { User.find_by(user_id: 2) }
let(:another_user) { User.find_by(id: 2) }
before do
UserFixture.reset_all_users
@@ -13,7 +13,7 @@ feature "insecure direct object reference" do
scenario "attack one" do
login(normal_user)
visit "/users/#{normal_user.user_id}/benefit_forms"
visit "/users/#{normal_user.id}/benefit_forms"
download_url = first(".widget-body a")[:href]
visit download_url.sub(/name=(.*?)&/, "name=config/database.yml&")
@@ -22,9 +22,9 @@ feature "insecure direct object reference" do
end
scenario "attack two\nTutorial: https://github.com/OWASP/railsgoat/wiki/A4-Insecure-Direct-Object-Reference" do
expect(normal_user.user_id).not_to eq(another_user.user_id)
expect(normal_user.id).not_to eq(another_user.id)
visit "/users/#{another_user.user_id}/work_info"
visit "/users/#{another_user.id}/work_info"
expect(first("td").text).not_to include(another_user.name)
expect(first("td").text).to include(normal_user.name)