Undefined behavior in User#abuse_report
Summary
- The foreign key is not explicitly specified on the
User#abuse_report
association. - The
AbuseReport
model contains two references to user -reporter_id
anduser_id
-
user.abuse_report
is supposed to return the single abuse report whereuser_id
refers to the given user. - Instead,
user.abuse_report
returns an abuse report wherereporter_id
refers to the current user, if such an abuse report is present. - This implies a slightly more serious bug as well:
- Assume User A filed an abuse report against User B
- We have an abuse report where
reporter_id
is User A anduser_id
is User B - If User A is updated (
user_a.block
, for example), the abuse report would also be updated, such that bothreporter_id
anduser_id
point to User A.
Steps to reproduce
Haven't tried reproducing this from the UI, but this test case fails:
current_user = create(:user)
other_user = create(:user)
abuse_report = create(:abuse_report, reporter: current_user, user: other_user)
current_user.block # Or some other update to `current_user`
expect(abuse_report.reload.user).to eq(other_user)
What is the expected correct behavior?
-
user.abuse_report
should always return an abuse report whereuser_id
refers to the given user - Updates on a user should not automatically modify the associated abuse report in the manner described above