Add vote model #144
Add vote model #144
Conversation
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| def user_cannot_vote_on_own_projects | ||
| errors.add(:user, "cannot vote on own projects") if user_id == project.user_id | ||
| end |
There was a problem hiding this comment.
Bug: project.user_id returns nil in Vote validation, allowing users to vote on their own projects.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The user_cannot_vote_on_own_projects validation in app/models/vote.rb incorrectly uses project.user_id. The Project model lacks a user_id attribute, causing project.user_id to return nil. This makes the validation condition user_id == project.user_id evaluate to user_id == nil, which is almost always false, allowing users to vote on projects they own, bypassing the intended restriction.
💡 Suggested Fix
Update the user_cannot_vote_on_own_projects validation to correctly check if user_id is associated with the project via its memberships or users relationship, instead of relying on a non-existent project.user_id.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: app/models/vote.rb#L16-L18
Potential issue: The `user_cannot_vote_on_own_projects` validation in
`app/models/vote.rb` incorrectly uses `project.user_id`. The `Project` model lacks a
`user_id` attribute, causing `project.user_id` to return `nil`. This makes the
validation condition `user_id == project.user_id` evaluate to `user_id == nil`, which is
almost always false, allowing users to vote on projects they own, bypassing the intended
restriction.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference_id: 2864486
| def new | ||
| # new vote | ||
| @project = Project.votable_by(current_user).first | ||
| end |
There was a problem hiding this comment.
Bug: Unauthenticated access to /votes/new causes NoMethodError due to nil current_user.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
Accessing /votes/new as an unauthenticated user causes a NoMethodError. The VotesController#new action calls Project.votable_by(current_user). For unauthenticated users, current_user is nil, and without an authentication guard, the votable_by scope attempts to call methods like .projects and .votes on nil, leading to a server crash.
💡 Suggested Fix
Implement an authentication guard (e.g., before_action :authenticate_user!) for the VotesController#new action, or modify the votable_by scope to gracefully handle a nil user parameter.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: app/controllers/votes_controller.rb#L2-L5
Potential issue: Accessing `/votes/new` as an unauthenticated user causes a
`NoMethodError`. The `VotesController#new` action calls
`Project.votable_by(current_user)`. For unauthenticated users, `current_user` is `nil`,
and without an authentication guard, the `votable_by` scope attempts to call methods
like `.projects` and `.votes` on `nil`, leading to a server crash.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference_id: 2864486
maxwofford
force-pushed
the
add-vote-model
branch
from
0d1ba41 to
e7e202e
Compare
maxwofford
force-pushed
the
add-vote-model
branch
from
e7e202e to
2d589f0
Compare
No description provided.