Hi Matt, yes sorry I left that line out of my new test code, but I
have been setting up a valid user in the session in my real code, so
that's not the problem. The corrected test method is below:
session[:user] = users(:one).typed_id
assert_difference('Widget.count') do
get :new
post :create, :widget => {:content => 'test data'}
end
I've done some playing around and it seems that without the 'get' call
happening first the session[:user] variable isn't available in the
controller when I make the post, hence there is no valid user and as
you say Matt the permissions checks won't run. So the 'get' sets up
the session.
This behaviour seems odd as surely someone could post directly to my
controller and avoid all the permissions checks as there will be no
valid user in the session. Or is this behaviour only happening because
I'm posting from within a test and it couldn't be recreated by someone
external firing a post request to my live app?
On Apr 21, 4:14 pm, Matt Jones <[email protected]> wrote:
> On Apr 21, 2010, at 10:12 AM, Dan wrote:
>
>
>
> > Hi,
>
> > I'm writing functional tests for my Hobo controllers. It seems that if
> > I just post a 'create' request the permissions restrictions are being
> > ignored. I've set up a basic example in my app to check what was going
> > on. So I have a class called Widget, which should dissallow all create
> > requests. See model below:
>
> > class Widget < ActiveRecord::Base
> > hobo_model # Don't put anything above this
>
> > fields do
> > content :text, :required
> > timestamps
> > end
>
> > def create_permitted?
> > false
> > end
> > ....
> > end
>
> > However, if I run this test below, it creates a new record, and hence
> > passes:
>
> > assert_difference('Widget.count') do
> > post :create, :widget => {:content => 'test data'}
> > end
>
> Not sure, but is the functional test 'post' method setting up the
> current_user stuff correctly? The permission checks get bypassed if
> acting_user is nil (can't happen via a live controller action, as not-
> logged-in users still have an instance of Hobo::Guest). See around
> line 135 of permissions.rb for more details.
>
> --Matt Jones
>
> --
> You received this message because you are subscribed to the Google Groups
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group
> athttp://groups.google.com/group/hobousers?hl=en.
--
You received this message because you are subscribed to the Google Groups "Hobo
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/hobousers?hl=en.
