DG IZ; posting now ensures aspect ownership.

app/models/user.rb

@@ -105,7 +105,10 @@ class User
     end
 
     aspect_ids = [aspect_ids.to_s] if aspect_ids.is_a? BSON::ObjectId
+
     raise ArgumentError.new("You must post to someone.") if aspect_ids.nil? || aspect_ids.empty?
+    aspect_ids.each{ |aspect_id|
+      raise ArgumentError.new("Cannot post to an aspect you do not own.") unless self.aspects.find(aspect_id) }
 
     post = build_post(class_name, options)
 

spec/models/user/posting_spec.rb

@@ -30,6 +30,10 @@ describe User do
     proc {@user.post(:status_message, :message => "heyheyhey")}.should raise_error /You must post to someone/
   end
 
+  it 'should not be able to post to someone elses aspect' do
+    proc {@user.post(:status_message, :message => "heyheyhey", :to => @aspect2.id)}.should raise_error /Cannot post to an aspect you do not own./
+  end
+  
   it 'should put the post in the aspect post array' do
     post = @user.post(:status_message, :message => "hey", :to => @aspect.id)
     @aspect.reload