From eaf5d21c41477cee4241aa310fbe6bfe9284f9b2 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Tue, 14 Apr 2015 11:49:44 -0400
Subject: [PATCH] Don't store post timings that are greater than the account
 lifetime

---
 app/models/post_timing.rb       |  4 +++-
 spec/models/post_timing_spec.rb | 16 ++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/app/models/post_timing.rb b/app/models/post_timing.rb
index 245f512c6..a1cf4dd60 100644
--- a/app/models/post_timing.rb
+++ b/app/models/post_timing.rb
@@ -65,9 +65,11 @@ class PostTiming < ActiveRecord::Base
   def self.process_timings(current_user, topic_id, topic_time, timings)
     current_user.user_stat.update_time_read!
 
+    account_age_msecs = ((Time.now - current_user.created_at) * 1000.0)
+
     highest_seen = 1
     timings.each do |post_number, time|
-      if post_number >= 0
+      if post_number >= 0 && time < account_age_msecs
         PostTiming.record_timing(topic_id: topic_id,
                                  post_number: post_number,
                                  user_id: current_user.id,
diff --git a/spec/models/post_timing_spec.rb b/spec/models/post_timing_spec.rb
index 452d6ad3e..b2c18dd80 100644
--- a/spec/models/post_timing_spec.rb
+++ b/spec/models/post_timing_spec.rb
@@ -60,6 +60,22 @@ describe PostTiming do
     end
   end
 
+  describe 'safeguard' do
+    it "doesn't store timings that are larger than the account lifetime" do
+      user = Fabricate(:user, created_at: 3.minutes.ago)
+      post = Fabricate(:post)
+
+      PostTiming.process_timings(user, post.topic_id, 1, [[post.post_number, 123]])
+      msecs = PostTiming.where(post_number: post.post_number, user_id: user.id).pluck(:msecs)[0]
+      expect(msecs).to eq(123)
+
+      PostTiming.process_timings(user, post.topic_id, 1, [[post.post_number, 10.minutes.to_i * 1000]])
+      msecs = PostTiming.where(post_number: post.post_number, user_id: user.id).pluck(:msecs)[0]
+      expect(msecs).to eq(123)
+    end
+
+  end
+
   describe 'process_timings' do
 
     # integration test