Work#work_skin_allowed is never run as a validation

Description

The work_skin_allowed method is set up to be run in the validation context :save, but if I'm not mistaken, that validation context is never used anywhere. (Only :create and :update are used by default.) As a result, the function never runs, and a user can use another user's work skin if they know the ID and know how to use Inspect Element to change form values.

(The method does appear to be covered in codecov, but only because it's run manually in the work spec.)

Testing Instructions:

  1. Log in as User A.

  2. Go to Dashboard > Skins > My Work Skins.

  3. If you haven't already created a work skin, press "Create Work Skin" and fill in the fields. Try to use a skin that's very obvious when it's applied, like something that turns all paragraphs red.

  4. Click "Edit" on one of your work skins, and copy the ID from the URL.

  5. Log in as User B.

  6. Go to Post > New Work and fill in all of the required fields.

  7. Select a skin from the "Select Work Skin" menu.

  8. Use Inspect Element on the skins dropdown to set the value associated with that skin to the ID of User A's skin.

  9. Press "Preview" or "Post Without Preview."

  10. Notice that User A's skin has been applied, even though you don't have permission to use it.

Environment

None

Status

Assignee

Unassigned

Reporter

ticking instant

Roadmap

Skins

Priority

Medium

Affects versions

Fix versions

None

Components

BackEnd

Difficulty

Medium

Required Access Level

None

Milestone

Internal 0.9
Configure