Skip to content

Undefined behavior in User#abuse_report

Summary

  1. The foreign key is not explicitly specified on the User#abuse_report association.
  2. The AbuseReport model contains two references to user - reporter_id and user_id
  3. user.abuse_report is supposed to return the single abuse report where user_id refers to the given user.
  4. Instead, user.abuse_report returns an abuse report where reporter_id refers to the current user, if such an abuse report is present.
  5. This implies a slightly more serious bug as well:
    • Assume User A filed an abuse report against User B
    • We have an abuse report where reporter_id is User A and user_id is User B
    • If User A is updated (user_a.block, for example), the abuse report would also be updated, such that both reporter_id and user_id point to User A.

Steps to reproduce

Haven't tried reproducing this from the UI, but this test case fails:

current_user = create(:user)
other_user = create(:user)
abuse_report = create(:abuse_report, reporter: current_user, user: other_user)

current_user.block # Or some other update to `current_user`

expect(abuse_report.reload.user).to eq(other_user)

What is the expected correct behavior?

  • user.abuse_report should always return an abuse report where user_id refers to the given user
  • Updates on a user should not automatically modify the associated abuse report in the manner described above